Discovering a Potentially Hacked Accountant: Lessons in How to Protect You and Your Client’s Sensitive Data
During my search for a new accountant, I encountered an accounting firm which appears to have a compromised email server. This serious cybersecurity oversight could affect not just the firm, but also any of their clients who are relying on the firm’s weak digital defenses to protect their financial data.
I always perform proactive due diligence on potential partners, publicly available technical signals (OSINT) to assess their security posture—a practice I recommend for anyone entrusting organizations with sensitive information like financial data or PII (personally identifiable information). Additionally, two years ago, my social security number was leaked in a data breach when a client of mine sent my tax form via email to their CPA, and their CPA’s email was hacked. Because of this incident, I’m painfully aware of how important it is to secure your email.
How I discovered the possible compromise:
The MPS’s Website:
The publicly available technical signals on the accounting firm clued me into the email and managed IT service provider (MSP) the accountant firm is working with. When I went to the MSP’s website, I found that the website had been hacked and contained links to an external website hawking fake Rolex watches on their “Cybersecurity Solutions” page. That said, the accounting firm’s MSP website is separate from the email server, so this doesn’t necessarily indicate the email server was breached, but I investigated further.
Screen shot of the MSP's "Cybersecurity Solution" page with IoCs (indicators of compromise).Information contained within the emails the accountant had sent me:
I looked at the technical data contained within the email (headers) that the accounting firm sent me. The email headers revealed the type of email server, and the server’s software version. The email headers indicated that the software of the email server was almost a year out of date.
I realize that many of you reading this may not know what this means. Some of you already know what likely happened. When a server is exposed to the internet, it is continuously being scanned and attacked by malicious threat actors. If any vulnerabilities exist in the server, the likelihood that they are exploited is virtually 100%. There are 8 billion people on the planet, and billions more internet connected devices that have access to that email server. It’s highly probable that one of them is going to try and compromise it.
Publicly listed information about the email server.Published CVEs about the email server:
Vulnerabilities in software are typically called Common Vulnerabilities and Exposures, or CVEs for short. Think of CVEs as unlocked doors in your house you didn’t know existed. If your software is out-of-date, it’s like leaving those doors wide open for anyone to walk through. This email server had left its doors open, and hadn’t been patched since March 14th of 2023. A plethora of vulnerabilities (CVEs) have been discovered since the release of the last patch this email server received, including two critical priority CVEs rated 9.8 out of 10, and about a dozen CVEs rated 8+ out of 10, or high priority.
Email servers like this are easy pickings for hackers around the world. The exploit has been published by security researchers; all you need to do is find the server and execute the existing exploit.
Just a few of the CVEs that make the email server software vulnerable.All of this is publicly available, easily accessible information.
I found more information about this email server on a website called Shodan.io, which scans the world’s IP addresses and publishes the information publicly for all to see. It confirmed that the server was indeed vulnerable.
All you need is an IP address! And Shodan takes care of the rest.As a cybersecurity professional, I worked ethically to try and communicate this information to the accounting firm, but my emails were ignored. The problem is, there are many individuals who will exploit this for profit. How many social security and routing numbers are sitting on that server? Maybe one day the accountant firm’s customers will know what happened, if the firm has to inform their clients of a breach.
Breaches happen, and they suck.
To all my fellow managed service providers and internal IT teams out there: make sure your software is patched. To all financial service firms, and any company that uses technology to do business: make sure you know who’s providing your IT’s management and do your own due diligence on them. Third party risk is real, and handing off the keys to you and your customer’s data should give you pause. This extends to vetting the security practices of any third-party vendors, especially MSPs, to ensure they meet your cybersecurity standards.
I’m sharing this story not to point fingers, but to spark a conversation about how we can all do better with cybersecurity. Let’s take this as a reminder to keep our digital doors locked tight—making sure you update your software regularly. It’s a simple step that can save lots of trouble.
