A database belonging to marketing automation platform provider Maropost Inc. has been found exposed online, complete with 95 million individual customer email records and email logs.

Discovered by researchers at Cybernews, the database included more than 19 million unique email records belonging to about 10,000 clients. Those clients include the New York Post, Shopify Inc., Fujifilm Holding Corp., Hard Rock Cafe Inc. and Mother Jones.

For once, the database wasn’t found on an Amazon Web Services Inc. server but a Google Cloud server located in the U.S.

The researchers attempted to reach out to Maropost to inform it that the database was exposed two months ago and despite ongoing attempts were unable to get anyone to respond. In the end, the researches decided to inform the Cybersecurity and Infrastructure Security Agency at the U.S. Department of Homeland Security of the data breach.

They eventually received a reply April 1 from Maropost Chief Executive Officer Ross Andrew Paquette, who claimed that the email addresses in the database were randomized data the company used for external testing. The researchers noted, however, that their tests showed this not to be the case because the emails were real and deliverable.

“Like the vast majority of breaches, it is rooted in the company’s failure to do the basics well — the basics of security policies and standards, architecture and design, security assessment, and employee awareness,” Kelly White, chief executive officer of risk assessment firm RiskRecon Inc., told SiliconANGLE.

“It is also rooted in the failure of Maropost’s customers to hold them accountable to operating a strong security risk management program,” Kelly added. “Companies must operate robust third-party security risk management programs that hold their vendors accountable to implementing good security practices. Companies that don’t do so are going to be doing business with insecure vendors and their data is going to be compromised.”

Balaji Parimi, CEO of cloud security platform company CloudKnox Security Inc., noted that cloud resource misconfigurations have become one of the biggest threats to enterprises.

“There’s a simple reason these vulnerabilities are so prevalent: the complexity of multi-cloud environments, combined with a lack of visibility into who can do what, when and where,” he said. “When combined, this leads to identities with excessive high-risk permissions operating in environments where security teams can’t answer simple questions like: ‘What permissions does each service account or employee have?’ and ‘What actions have they performed?’”

Image: Maropost