Email Marketing Firm Pabbly Leaves 51.2 Million Records Exposed Online

Email marketing software Pabbly has become the latest firm to demonstrate a security lapse in its system, exposing 51.2 million online.

In a report posted on Security Discovery, cybersecurity researcher Jeremiah Fowler said he discovered “an open and publicly accessible database” that contains millions of records and email addresses on January 24.

“There were references in the database to and that domain directs visitors to a permission-based email service provider by the name of Pabbly. I sent a responsible disclosure notice to Pabbly email marketing the same day as the discovery and pubic access was restricted within hours. However, no one from Pabbly replied to the initial notice or additional requests for information,” he wrote.

Email Marketing Firm Pabbly

According to Fowler, the records appear to be dated 2014 and contain a total of 50.6 million email addresses. Other personal details exposed to the breach include the customers’ names, IP addresses, email messaging, storage info, internal logs, ports, and more.

Fowler noted that the database was accessible to the public and could be edited, downloaded, or even deleted by anyone without administrative credentials.

Anyone with an internet connection could have had access to millions of Pabbly email marketing’s customer records. It should be noted that Pabbly also offers email scrubbing where users upload their own lists and they will remove invalid, duplicate email addresses and provide users with a “clean list,” he added.

Founded in 2011, Pabbly operates as an email marketing company based in India. Using their software, customers can avail Pabbly’s extensive features, including an in-built delivery engine service, list cleaning feature, in-built email builder, email tracking, and more.

Under the current Indian law, entities are obliged to inform the authorities in case of a massive data leak. To date, although the email marketing firm has already restricted public access to the open database, it still hasn’t informed anyone about the incident.

“It is unclear how long the data was exposed or who else may have gained access to it before I responsibly disclosed my discovery to the Pabbly email marketing. It is also unclear if the affected customers or the authorities were notified of the exposure. Pabbly is located in Bhopal, Madhya Pradesh, India. According to their website Pabbly is used by 100K+ businesses that include Harvard University, The Guardian, Uber, and others  At the time of publication no reply or statement has been given by Pabbly,” Fowler continued.