Wandering the interwebs

2018-11-01 UPDATE:

I did want to clarify in clear terms a handful of inaccurate claims I have seen made regarding this report.

  1. This was not a hack. Full stop. I've seen zero evidence to indicate this data was leaked as a result of any kind of compromise or "hack". Claims of that nature are simply inaccurate.
  2. I have seen claims that this was related to Flutterwave, but I have seen no evidence that Flutterwave was involved or compromised in any way.
  3. The data is no longer being leaked or at risk. The S3 bucket has been secured, and I have securely deleted the data that was used in the analysis of this report.

Summary

In the normal course of scanning for open/exposed/vulnerable Amazon S3 buckets I discovered a bucket containing a large number of CSV files. This is not all that odd. What made this bucket particularly interesting was that following a brief investigation it became immediately apparent the bucket appeared to be owned by an airline or a payment processor for an airline. After a thorough review of the files, I concluded these sensitive files were very likely owned by Arik Air. I had not heard of Arik Air, but they describe themselves as "West-Africa's leading airline" source. Arik Air has had a number of financial troubles which most recently lead to the Nigerian government needing to takeover of the airline to prevent it going backrupt. source Long story short -- this seemed like a potentially important find.

After concluding the CSV files were very likely owned by Arik Air (or their payment processor) I immediately attempted to make contact with Arik Air to notify them of this data leak. To say this process was challenging would be an understatement. I can confirm roughly 1 month after notice was provided that action has finally been taken to secure the S3 bucket.

Notification and remediation:

I attempted to notify Arik Air via social media, all of which failed (at least initially). I attempted to email [email protected] (which bounced) and the email address they publish on their website [email protected] -- which received no reply. After multiple messages on their coporate Facebook page and Facebook messages I eventually received a reply and they provided me with the email address for a security point of contact. Several days later the security point of contact confirmed they would review my report, and that was the last I heard from Arik Air. In all -- roughly 1 month elapsed from the time I notified them to the time they took action to acknowledge my report and to secure their customer's data.

Incident Timeline:

DateEvent
September 6, 2018open bucket discovered.
September 6, 2018attempt made to notify. No Twitter account, message left on Facebook page, message sent via Facebook. No replies to any of these attempts.
Septmber 7, 2018message sent to Arik Air employees on LinkedIn.
September 10, 2018[email protected] and [email protected] notified via email. The [email protected] email bounces.
September 17, 2018Message on Facebook finally replied to.
September 18, 2018email provided for a security point of contact. No Reply.
September 23, 2018another email sent to the security point of contact.
September 24, 2018security point of contact replies indicating "it's been reviewed".
October 10, 2018No further reply received, but bucket has been properly secured at some point following Sept 24 email.

What's in the bucket:

So what's in the bucket? That's the question and answer you came to find out.

The answer -- 994 CSV files. Some of these CSV files contain in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases files only contain 3 rows of data.

Here's a sampling of the data points that were leaked:

  • Customer email address
  • Customer name
  • Customer's IP at time of purchase
  • A hash of the customer's credit card
  • What appears to be last 4 digits of the credit card used.
  • What appears to be maybe be the first 6 digits of the credit card used.
  • A unique device fingerprint (presumably the user's mobile or desktop device?)
  • Type of currency used
  • Payment card type
  • Business name related to the purchase (more on this below)
  • Amount of purchase
  • Date of purchase
  • Country of origin of the purchaser
  • Charge message (chargemessage) associated with the purchase (more on this below)
  • The "sector" field was populated in some cases. This appears to include the specific departing airport and arriving airport (more on this below)

High level stats

StatsCount
Number of files inthe bucket994 CSV files
Date range of leaked data"2017-12-31T02:25:59.000Z" - "2018-03-16T14:08:50.000Z"(Roughly 3.5 months of data.)
unique devicefingerprint41,304
unique pcardl49,989
unique pcard63,517
unique pcardhash71,065
unique IPs35,593
unique emails65,412
unique customer names54,011

Regarding the "business name" field:

It's not entirely clear who the owner of this data is as Arik Air didn't reply with any further clarification or details. That being said it certainly seems likely to be a bucket controlled by Arik Air, or one of their immediate partners/processors. The fact that all of these purchases have an "acctparentbusinessname" value leads me to believe this could be a payment processor specific to businesses and/or travel agents. It seems unlikely a business name would be populated for personal travel conducted by an individual. In many cases the email address associated with a user also appears to be a travel agent or company email address.

Regarding the "charge message" field:

This field appears to be additional information associated with the attempted purchase. What makes this field particularly concerning in the context of the other leaked data is that it contains information regarding the 2 factor authentication (2FA) at the time of purchase. It references a partially obscured phone # or email address (or both) where the 2FA code is being sent.

A malicious person could potentially use this sensitive information to then target one of these customers of Arik Air for identify theft. With the information included in this leak a fraudster would have plenty of useful data points -- the person's name, email, first 6 and last 4 of the credit card, and a hint as to what the person's 2FA values might be so they could then focus on compromising that 2FA account (email or phone number) to take steal the user's identify.

Regarding the "sector" field:

In some cases this "sector" field is populated. Using this value in combination with a customer's email address it is possible to map out all flights this user has taken in the 3.5 months contained by this leaked data.

When pivoting on a single customer's email address we see the following pattern of travel:

One might certainly consider this to be sensitive information in combination with the customer's name, date of flights, travel itineary, and what looks to be the first 6 and last 4 digits of the customer's credit card number.

Overall travel patterns from this dataset are as follows:

Other stats

Information below is in the format:
Friendly name (fieldname)

Customer Email (custemailprovider)

Customer Email ProviderCount
GMAIL301376
YAHOO203951
COMPANY EMAIL81648
YAHOO UK17036
HOTMAIL11683
MICROSOFT4715
YAHOO MAIL3673
AOL1655
APPLE MAIL920
YAHOO INDIA529
YAHOO BRAZIL126
YAHOO GERMANY100
ZOHO79
BT UK37
YAHOO MEXICO30
YANDEX RUSSIA9
COMCAST6

currency (currency)

Type of CurrencyCount
NGN590611
USD12105
KES10368
EUR7848
GBP4512
GHS2096
ZAR39

Account business name (acctparentbusinessname)

Account Business NameCount
Teflon Hub268490
PayportSA20736
Fidelity Bank2625
Access Bank2332
Sterling Bank1588
Access Bank Ghana Plc760
Union Bank PLC272
PayByana210
Gene Solutions Multiservices Company68
Brinq Africa60
Crenet TechLabs Limited34
Flutterwave22
NTEL5

Account country (acctcountry)

Account CountryCount
NG583059
CA22386
CY17738
NL3070
GH805
GB242
SE236
ZA17
BG11
IN8
16
US1

Payment type (paymenttype)

Payment TypeCount
card570224
account32861
cpos-terminal11457
mpesa10235
ussd935
mobilemoneygh882
mcash-offline636
paypal188
account-internet-banking82
account-ach-us73

Payment card type (pcardtype)

Card TypeCount
MASTERCARD437457
VISA97713
VERVE18010
MAESTRO13672
Wema1510
Interswitch1227
ACCESS373
AMERICAN108
DANKORT69
VISASTANBIC55
DISCOVER16
You’ve successfully subscribed to
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.