A Florida-based ad agency has left a database open on the internet that leaked details about past advertising campaigns, including information regarding medical malpractice cases, and sensitive details about combat injuries sustained by US military veterans.
The database, discovered by security researchers from vpnMentor, belonged to X Social Media, an ad company that runs Facebook and Instagram advertising campaigns for the legal industry.
One of the company's main areas of interest and focus is on running ad campaigns for medical malpractice lawsuits and injury-related class-action lawsuits.
The purpose of these advertising campaigns is to gather interest from possible parties, who are redirected to dedicated sites where they fill forms to see if they're eligible for a particular case and possible legal assistance.
According to vpnMentor, the database where X Social Media had been gathering this information was left exposed on the internet without a password, allowing anyone to access and download its content.
Researchers said the database contained over 150,000 responses from users who filled the forms. Data contained in these forms usually included full names, email addresses, home addresses, phone numbers, and details related to their cases -- mostly focused on medical injuries.
"The injuries described in the database vary from combat injuries suffered by American veterans to injuries caused by medical devices, pesticide use, medication side-effects, and defective baby products," the vpnMentor said in a report published this week.
The details about combat injuries not only included information such as the date and place where the injury occurred, but also detailed medical information and mental trauma the person suffered in the aftermath; details that many applications wouldn't want made public.
On top of this highly sensitive information relating to various injuries and legal cases, the X Social Media database also contained information about all the company's clients, ad campaign metrics, and even all the company's invoices.
If a hacker had found the database and stole its content, the data would be gold in the hands of the company's competitors, who could use it to undermine X Social Media's business, or just ruin its reputation.
"Future law firms may be less inclined to work with a company that experienced such a widespread breach," vpnMentor said.
But if any unauthorized party accessed or downloaded this data is currently unknown, as X Social Media did not return a request for comment, nor did it disclose this detail to vpnMentor.
The ad agency closed access to its database on June 11, nine days after vpnMentor found the server and notified the company.