Update: Millions of IGN and PCMag user records sit exposed, online

A website configuration issue affecting itmanagement.com, a property owned by New York City digital publisher Ziff Davis, can be exploited to access a company database full of private user contact information, including names, phone numbers, employment details, email and employer addresses.

The database also contains contact information for users registered on other Ziff Davis properties. Beyond itmangement.com, the list includes ComputerShopper, Geek, PCMag and IGN.

Contact information for anyone in the shared database can be viewed by simply incrementing or decrementing a field in a URL belonging to one Ziff Davis publication. The website issue could be exploited by hackers to exfiltrate the database’s roughly 7.5 million private records — information considered ideal for email phishing and spam campaigns.

Multiple cybersecurity researchers, who all spoke on condition of anonymity because of concerns about legal repercussions, told CyberScoop that they reached out to Ziff Davis to notify the company of the aforementioned configuration issue. Those researchers say their warnings, which began at least as early as December, went unanswered.

When reached for comment, a Ziff Davis spokesperson said he was previously unaware of the flaw.

URL that carries configuration issue

CyberScoop could not confirm how the configuration issue was originally found.

In 2002, Ziff Davis paid three states a total of $100,000 to settle a data breach incident in which personal information for thousands of subscribers leaked online. The publisher was ultimately forced to pay $500 to each of its U.S. customers who provided payment information while the database was exposed. Former New York Attorney General Eliot Spitzer oversaw the case. The incident reportedly caused some users to cancel credit cards.

 Update (2/23/17 – 11:30am): In an emailed statement to CyberScoop, a spokesperson wrote: “The security and privacy of our users’ data is of vital importance to us and we will make every effort to correct any and all risks. Within hours of being made aware of the vulnerability on itmanagement.com — and even before the publication of your story — we resolved the risk. Additionally, our extensive research indicates that neither IGN nor PCMag user data was exposed or at risk.” 

The configuration issue remained exploitable as of Tuesday night. CyberScoop reached out to Ziff Davis on Tuesday. Contact with the company’s communications team began that same day.