A recent study found that many online stores keep backups in public folders, putting them and their customers at risk, especially if the copies contain internal account passwords that can be used to take control of the store's website and blackmail the store owner.
According to a study by information security firm Sansec, nearly 12% of online stores forget their backups in public folders due to human error or oversight.
The study examined 2,037 stores of various sizes and found that 250 stores (12.3%) placed ZIP, SQL, and TAR archives in public web folders that could be accessed continuously without authentication.
The archives appear to be backups containing database passwords, secret URLs for admins, internal API keys, and PII for the client.
In the same report, Sansk stated that its analysts observed continued activity by attackers running automated scans to identify such backups and make infiltration attempts.
The report also states that “cyber criminals actively look for these backups because they contain passwords and other sensitive information. The exposed secrets are then used to take control of online stores, extort merchants, and intercept customer payments.”
Threat actors try a different set of possible backup names on the target site based on the site name and public DNS data.
Because these scans are inexpensive and don't affect the performance of the target storage, active hackers can run them for weeks until they find a backup.
Sansk reported seeing multiple source IP addresses for these attacks; As a result, threat actors know that weak security defenses exist and that many seek to exploit them.
If the exposed backups contain administrator details or passwords for the master database or employee accounts, attackers can use them to access online store websites and steal data or perform destructive attacks.
Sansk urges website owners to regularly check their sites for data and backups that have been exposed in error. If they disclose a website backup, they must immediately reset the database administrator account and password, and then enable two-factor authentication for all employee accounts.
In addition, website owners should check web server logs to determine if third-party backups have been mounted, and check administrator account activity logs for signs of external access and behavior.
Sansk recommends that online store site administrators configure web servers to restrict access to archive files when they are not needed in day-to-day operations to prevent data leakage. Additionally, those who use the Adobe Commerce platform should use the immutable storage feature.