Encryption Vendor for Sony, Lexar, and Sandisk Leaked API Keys

ENC Security, a Dutch company that provides encryption solutions to Lexar, SanDisk, Western Digital, and Sony, has had an API key data leak due to database misconfiguration.

The exposed instance contained configuration data, certificate files, API keys, Mailchimp keys, email marketing details, HMAC authentication codes, asymmetric encryption keys (public and private pairs), and more.

The data was discovered by Cybernews researchers who were scanning the web for potentially exposed instances, and according to their report, it was publicly accessible from May 27, 2021, until November 9, 2022.

This was when ENC Security closed access to the exposed database, explaining that the incident occurred due to a misconfiguration by one of its third-party suppliers.

Impact and Risk

ENC Security is the vendor of the ENC DataVault product, a data encryption solution for Windows and Mac, enabling users to lock their data with a password and keep them safe even in the case of someone stealing their drives.

SanDisk, Lexar, Sony, and Western Digital use custom versions of DataVault to offer their customers out-of-the-box data encryption features on their hard disks and pen drives.

According to ENC, apart from the product sales of its partners, ENC DataVault is downloaded 2,000 times every month and used by 12 million individuals.

Exposing administrator API keys means allowing attackers to explore the organization’s internal network, take over control of servers, and access payment or identification information of clients.

One of the exposed records

While it’s unlikely that someone breaks DataVault’s encryption scheme from this

Read more

Explore the site

More from the blog

Latest News