HCL Technologies has inadvertently exposed passwords, sensitive project reports and other private data of thousands of customers and internal employees on various public HCL subdomains, a report by Threatpost said.
The company specializes in areas such as engineering, software outsourcing and IT outsourcing, and manages in-house personnel data as well as customer project information.
The report said that earlier this month, researchers discovered several publicly accessible pages on various HCL domains, exposing private data that anyone could look at. This includes personal information, plaintext passwords for new joinees, installation reports, as well as web applications for managing personnel from thousands of HCL customers and employees.
According to senior HCL officials, most of the pages that allowed public access was indexed by search engines. Further research into the issue suggested that these credentials and internal IDs could be used to log into other HCL systems, while other data could be used for phishing and other attacks.
Researchers said that although the freshly created passwords for new hires was the most sensitive data, it shows how information like internal IDs can be used to expand the scope of a breach to gather more information.
Unfortunately it was not just the employees, but this breach also accidentally exposed the data of several of its customers, such as statuses, sites, incidents and more. However, after a thorough analysis, HCL fully secured the data on May 8.