BrewDog exposed data of 200,000 shareholders for over a year
According to PenTestPartners, BrewDog exposed the personally identifiable information of roughly 200,000 shareholders over the past 18 months. In the investigation and research into the security incident, BrewDog allegedly declined to informed their shareholders and asked not to be named. The Scottish brewery eventually implemented a hard-coded Bearer authentication token associated with API endpoints to its mobile applications on October 8. However, the users who have already entered their credentials were not protected by this verification step.
PenTestPartners members, who are BrewDog shareholders, appended each other’s customer IDs at the end of API endpoint URLs. After conducting tests, they discovered they could access the personally identifiable information of Equity for Punks shareholders without authentication. The information exposed in the snafu includes shareholder names, dates of birth, genders, telephone numbers, addresses, shares held, referrals, and more. According to the researchers, an attacker could brute force the customer IDs and download the entire database of customers and shareholders. Attackers would be able to identify the shareholders with the most shares and view their addresses.