RT @mmasnick Holy shit.— SwiftOnSecurity - Copy (@SwiftOnSecurit1) June 19, 2020
1. Bluekai has always been sketchy.
2. Had no idea Oracle bought them.
3. Oracle attacks Google ALL THE FUCKING TIME claiming that Google is a privacy risk, when... https://t.co/nMmmnIltF8
By leaving a server unsecured without a password, Tech giant and data harvester Oracle has exposed billions of records of people around the globe.
In 2014, Oracle purchased BlueKai for over $400 million, adding it to Oracle's marketing platform to allow "marketers to act on data from both existing customers and new markets, and precisely target customers with a tailored message across all platforms," according to Steve Miranda, Oracle EVP, application growth.
BlueKai tracks users through cookies and other proprietary technologies around the web. This isn't limited to users of Oracle. Through monitoring which websites people visit and which emails they open, BlueKai can infer a wide array of information about us - from our preferences to our politics to our profits. It is, of course, built for the "ideal identity resolution," ad tech-speak to match consumers with the best advertising. Effectively, all these different data sources merge to form a "one size fingerprint" of the device of a person - which can later be linked to other devices themselves.
A German who used a prepaid debit card to place a 10 euro bet on an esports betting site on 19 April. The record also included the identity, telephone number and email identity of the individual.'
In another case, the server left open information about "how one of Turkey 's largest investment holding firms used BlueKai to track users on its website. The record detailed how one person, living in Istanbul, ordered furniture worth $899 from a homeware store online. We know because the record contained all these information, including the name of the purchaser, the email address and the direct web address for ordering the purchaser, no login required.
Given the volume of data on this server, this is already one of 2020 's biggest cybersecurity errors - but unfortunately there's no way to know who else could get their hands on that data.