Recon Safari #1: A Closer Look at Friendemic’s Data Breach
Reading time: 4 minutes
We've been having some Friday fun running SecurityTrails Recon Safari on Twitter. Over the past few months, we've conducted over 30 successful investigations that were easy to research thanks to SecurityTrails API™ and SurfaceBrowser™. And as a result, Recon Safari began in the form of long Twitter threads, eventually evolving into fun and digestible infographics, ultimately followed by a writeup on our blog.
For this first Recon Safari on our blog, we're looking into recent data breaches to see what we uncover.
Friendemic, a reputation management and digital customer experience company for car dealers, had a data breach in mid-September. Over 2.7 million records were leaked, with consumers' names, email addresses and phone numbers compromised. A researcher at Comparitech, found a backup copy of an SQL database, or an SQL dump, that could have been caused by bad backup or copy error during migration.
Our team's initial reaction was to dig a bit into our OSINT data using SurfaceBrowser™, our go-to tool when we need to know everything quickly. We designed SurfaceBrowser™ to be an all-in-one passive intelligence tool that allows us to effortlessly browse through the external Internet surface area of any company, and identify unknown assets or spot network weaknesses.
In the case of Friendemic, we used the tool to access some telling data:
- WHOIS history
- DNS history
- Subdomains with their hosts, ports, and more
- SSL certificates
Domain registration
First, we wanted to verify ownership of the domain, in case it had been initially registered to someone else and then bought by new owners. Their WHOIS registration showed the domain was first registered on July 23, 2010, and that was confirmed on their "About" page. If WHOIS data and the company's founding date don't correlate, that can indicate that the domain may have been registered to someone else, and then bought by the current owners.
Our WHOIS historical data shows that the domain was registered to a "Brigham White" using a personal email address. There is no mention of this person on the company's "About" page, but the registration address refers to Utah as White's state and the company itself is based out of Salt Lake City, Utah.
Friendemic's "About" page mentions their acquisition of GoFanbase in 2017. Our data re-affirms this.
The providers for the subdomains used by Friendemic include:
- Digital Ocean
- Amazon
- Cloudflare
- ServerStack
According to the Comparitech security expert, "The data was stored in an Amazon S3 bucket... it appeared to be an SQL dump or a backup copy of an SQL database, which is usually created for the purpose of migrating a server." The breached data was exposed via an unsecured S3 bucket, and the visibility of Amazon as a provider re-affirms this.
It appears that Digital Ocean is now being used for most of the testing and development:
Open ports
The list of open ports found on Friendemic subdomains includes: 80, 443, 2082, 2083, 2086, 2087, 2095, 2096, 8080, 8443.
The bulk of the current open ports are on Cloudflare subdomains:
The company used Cloudflare for many years to provide DNS(A) records but switched to Digital Ocean in 2019:
Google has been Friendemic's email provider since 2017. Additionally, TXT records show that they are also using MailGun, possibly for outgoing transactional emails, newsletters, and the like:
SSL certificates
The bulk of the SSL certificates are from Let's Encrypt, but their main domain is behind Cloudflare SSL.
The two most recent subdomain changes, from September 25 and 30, correlate with the breach discovery and Friendemic's team patching it up.
No company is 100% secure at all times and Friendemic may have existing bugs. After the breach, we suspect that they will take their security more seriously and this is evidenced by the introduction of Cloudflare. The risks associated with exposing personal data can further be prevented by using non-public solutions for backups or even offline solutions.
Stay tuned for more!
We hope you've enjoyed our first Recon Safari post on the SecurityTrails Blog and that you can see how SecurityTrails can make your infosec investigations so much easier. In future Recon Safaris, we'll be conducting more in-depth investigations to show you the full potential of our data as we reveal the truth about other high-profile domains.
Interested in discovering the full potential of the SecurityTrails SurfaceBrowser™? Book a demo with our team today!
