Summary
TurgenSec became aware of a publicly accessible datastore which belonged to Procore.com. The breach appeared to contain 270,360 unique email addresses. TurgenSec contacted Procore on the 8th February and they had closed the breach by the 10th February.
This breach was accessed and downloaded by at least one unknown third party.
The information was left public facing where anyone with a browser and internet connection could access if they knew where to look.
What is Procore.com?
Procore is a software company that provides cloud-based construction management software. Procore was recently valued at $5 billion.
The breach appears relate to procore.com/jobsite/, but this is not confirmed.
Potential sensitive data headings:
- first_name
- last_name
- company_name
- jobsite_weekly_subscribe_main
- jobsite_weekly_apac_main
- jobsite_region_california_subscribe
- jobsite_region_midatlantic_subscribe
- jobsite_region_midwest_subscribe
- jobsite_region_mountain_states_subscribe
- jobsite_region_new_england_subscribe
- jobsite_region_new_york_subscribe
- jobsite_region_northwest_subscribe
- jobsite_region_southeast_subscribe
- jobsite_region_southwest_subscribe
- jobsite_region_texas_louisiana_subscribe
- created_at
- updated_at
The Disclosure
Turgensec first disclosed this to Procore on the 8th February, and the breach was closed by the 10th February.
Following disclosure Procore invited us to join their HackerOne Bug Bounty program, but TurgenSec declined as we do not accept payment for responsibly disclosing potential data breaches.
17th February: Turgensec requested further information seeking to get assurance that the incident was being dealt with correctly and those impacted would be informed saying:
“We appreciate that responding to these incidents can take time and that triaging and responding may require interaction with third party regulatory bodies and forensics organisations that can take up valuable response time.
That being said, we would appreciate some transparency on the steps you are taking going forward and your progress in responding to this potential incident.”
Turgensec did not get a reply.
23rd February: TurgenSec informed Procore that we would continue with our Responsible Disclosure Policy (public disclosure) as we had not received a reply, saying:
“Due to a lack of response to the last two emails we sent we have made the decision to continue with the steps outlined in our Responsible Disclosure Policy: https://github.com/TurgenSec/policies/tree/master/approved
If you wish to reengage with Turgensec we would be delighted to work with you to respond to this potential incident.”
23rd February: Procore responding confirming they had read our Responsible Disclosure Policy and required nothing else from us now. They informed us that the investigation was on-going and could not share any information with us.
24th March: TurgenSec gave Procore a month to respond and then sought assurance that Procore had informed those impacted saying:
“Dear Procore Security Team,
Some time has passed since we reported this incident to you. I hope your incident response team has managed to take all the necessary steps to resolve and mitigate any impacts. Our responsible disclosure policy (https://github.com/TurgenSec/policies/tree/master/approved) outlines the responses we take at various stages. The main concern for us is making sure those impacted have been informed truthfully of the full extent of a potential breach so that they can take actions to protect themselves. We have a few questions that we would really appreciate if you could answer…
Questions:
- Have all of those impacted been informed of the true extent of the data breached so that they can take actions to protect themselves? What assurance can you give us of this? Did you inform them by email, if so can we see the email that was sent out?
- Have you reported the incident to any relevant authorities? E.g. if there is European citizens contained within the potential breach then there will be legal obligations to disclose this to GDPR regulatory commissions (ICO in the UK), regardless of where a company is registered.
If we cannot get assurances that those impacted have been informed of the true and full extent of data exposure we will have no choice but to continue inline with our responsible disclosure policy and publicly disclose this incident so that those impacted have the best chance of being informed.”
Turgensec did not get a reply.
31st March: Turgensec sent a followup seeking a response to the above email.
Turgensec did not get a reply.
We encourage Procore to submit the breached data to digital forensics specialists to ascertain the extent of this data breach.
We also encourage Procore to inform the ICO if there is UK citizens data contained within and to issue a public disclosure of this data breach explaining how this datastore breach occurred, and the full extent of what was breached so that the impacted individuals can take the necessary steps to protect themselves.
Archive of statement updates
Afterword
Disclosing breaches to companies is not without risk. In the past well-meaning security researchers looking to help have been threatened with prosecution. That said, to our knowledge, no ethical hacker has been successfully prosecuted under the Computer Misuse Act 1990 since it came into force.
No hacking or offensive techniques were utilised to discover the data; at the time of data access, any user with a web browser and internet connection would have been able to access the data in the database.
Choosing to disclose this breach is at our own risk, and to the immediate and ultimate benefit of the people and organisations impacted. To assist these individuals and organisations, we provide the column headings of the breached data in “Potential sensitive data headings”. This allows those impacted people and organisations to assess the scope of the breach and where appropriate, exercise their legal rights and incident response plans.
Going forward we hope that companies in the UK and internationally will follow the lead of the National Cyber Security Centre and encourage security researchers to disclose their findings without fear of entering a high risk, no reward situation. We believe that such a culture shift would directly benefit the UK & international community through the global reduction of cyber crime.