Data from Philip Morris USA, the nation’s leading cigarette manufacturer, has been exposed online following an apparent breach at a cybersecurity firm.
The data, taken from the cybersecurity risk assessment company OptimEyes, was located within a 68GB cache posted to the notorious imageboard 4chan on Tuesday.
OptimEyes, according to its website, leverages artificial intelligence and machine learning to “provide analytics that improve risk mitigation decision-making.” The leak contains everything from source code for OptimEyes’ software to data on its customers, which appears to include the tobacco giant.
A README file left in the cache by the hacker notes that credentials allowing access to numerous company servers were also present in the data, as well as OptimEyes “genius” machine learning models that, the hacker joked, “couldn’t prevent this attack.”
The Daily Dot was alerted to the data this week by hacker maia arson crimew, who stated that she came across the dump on 4chan. Further analysis of the leak led to the discovery of vulnerability scans carried out by OptimEyes on the networks of numerous companies including Philip Morris USA. An inventory for nearly 14,000 active and retired devices on the tobacco giant’s network was found among the files as well.
Data from the devices matches up with public listings for Philip Morris employees.
Other clients that appear in OptimEyes’ breached data include an international energy company as well as a U.S.-based pipe manufacturer.
In remarks to the Daily Dot, crimew noted that such information would be a “gold mine” for any attacker that managed to gain access to the cigarette company’s digital infrastructure.
“Not only does it give an attacker a complete map of the network, it also has convenient info about which devices and which applications contain which data and of which classification level,” she said.
One such device listing viewed by the Daily Dot stated that its data classification level was “Ultra Trade Secret.” The listing also noted whether the device contained personally-identifiable information or information protected by HIPAA laws.
While the hacker did not reveal in their note how they were able to obtain OptimEyes data, crimew says she found an exposed server run by OptimEyes after searching for keywords from the dump.
The server, crimew added, contained a link to the company’s Bitbucket, a service that hosts OptimEyes’ product source code. Incredibly, the text of the link included the login credentials for OptimEyes’ Bitbucket account.
In a statement to the Daily Dot, a spokesperson for Altria, the parent company for Philip Morris USA, said that it briefly tested out OptimEyes’ vulnerability analytics capabilities two years ago but ultimately declined not to retain their services.
The spokesperson also stressed, as already noted by the Daily Dot, that the data does not provide access to the tobacco company’s servers but instead lists out the devices it had on its network at the time.
OptimEyes did not respond to inquiries from the Daily Dot regarding the data leak.
This piece has been updated with comment from Philip Morris’ parent company, Altria.