We’re sorry for mistake that exposed 5,000 users • The Register

We’re sorry for mistake that exposed 5,000 users • The Register


VirusTotal today issued a mea culpa, saying a blunder earlier this week by one of its staff exposed information belonging to 5,600 customers, including the email addresses of US Cyber Command, FBI, and NSA employees.

The unintentional leak was due to the layer-eight problem; human error. On June 29, an employee accidentally uploaded a .csv file of customer info to VirusTotal itself, said Emiliano Martinez, tech lead of the Google-owned malware analysis site.

“This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators,” Martinez wrote in a Friday disclosure.

“We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.”

The employee had this list in the first place because the customer data was “critical to their role,” we’re told.

For those who don’t know: VirusTotal allows netizens to – among other things – upload files, or submit a URL to one, and the site runs the material through various malware-scanning engines to see if anything malicious is detected or identified. Premium subscribers can also download uploaded samples, and thus that’s how the uploaded .csv file of customer info was accidentally leaked.

Martinez said the snafu was “unequivocally” not the result of a security breach or vulnerability: “There were no bad actors involved.” After the accidental upload, VirusTotal is reexamining its processes and control processes, he said.

“Again we apologize for any confusion or concern this may have caused,” Martinez concluded. 

Der Spiegel first reported the leak on Monday, saying the 313KB file contained users’ names and email addresses belonging to organizations’ employees who registered for a VirusTotal account. 

This reportedly included more than 20 US Cyber Command email addresses, as well as those belonging to the US Justice Department, FBI and NSA.  German, Dutch, and British and Taiwanese agencies were also affected, including Germany’s federal police, Military Counterintelligence Service, as well as major German corporations like BMW, Mercedes-Benz and Deutsche Telekom. ®

You May Also Like…