Data belonging to clients of shared workspace company WeWork was reportedly left exposed and accessible to the public via GitHub, while a web portal separately leaked information on prospective customers.
Mossab Hussein, security researcher from Dubian-based spiderSilk, discovered the data mismanagement and reported it to Vice/Motherboard, which published a report on the findings today.
The GitHub leak reportedly affected a subset of WeWork customers located in India, China and Europe. Exposed information included bank account details and personal information including addresses and phone numbers.
Additionally, Hussein found a web portal related to WeWork in India that also exposed information on prospective clients (aka “leads”), including their names, email addresses and phone numbers.
Motherboard reported that WeWork secured the GitHub repository shortly after the company was contacted for comment, and noted that the Indian web portal domain had stopped leaking by the time its reporter visited the site.
“WeWork was recently alerted to two personal GitHub pages with public settings that linked to certain company confidential information and another instance in which an affiliated company had posted information regarding sales leads in a manner that was not authorized,” said a WeWork spokesperson, per Motherboard. “We immediately initiated an investigation and took steps to limit access to the information.”
Since the figurative bailout from major investor SoftBank (and subsequent $1.7B departure of founder/CEO Adam Neumann), more than 12,000 global staffers are bracing for layoffs.
It is a tumultuous time right now for WeWork, which recently delayed its IPO and is expected to lay off thousands of employees imminently. In September, company CEO Adam Neumann announced that he would step down from his position.