Not sure if this is the right place to post this, so remove if not allowed but I can’t think of anywhere to go for advice which couldn’t be traced back to me or my place of work.
The part of the company I work for specialises in software development in Windows Applications.
Aside from the fact that the software stores the passwords for each user to use the software as plain text in the database, we also have a publicly accessible SOAP Web Service on a Windows Server 2008 R2 with no private key required which can be used to licensed the software and recover passwords via an email sent from out servers. This doesnt ask the user to reset the password it literally just sends the user name and password to the email specified in the call to the function. There’s also an SQL Server database on the server that hosts this that contains all our data, jobs, invoicing, customer accounts and subscriptions, as well as logins for any cloud databases we have created.
We have around 1000+ clients in about 30 countries. They also have the option to upgrade to our “Cloud” system which uses another SOAP Web Service to check changes between the local SQL Express 2008 database with the one on the Azure Windows Server 2012 that hosts the service.
Yesterday after getting swamped with calls I noticed that all our clients cloud databases were in single-user mode which we’ve encountered in local databases when a restore failed.
After some investigating I noticed that the SQL Server where the cloud databases are is publicly accessible through web address e.g. “webaddress.azure.comSQLSERVER” provided you would use “sa” as the username and know the password that we our company uses for everything else.
These databases contain information about our clients livelihood as well as any contact information for themselves or others that they’ve stored using our software.
I’ve raised this issue with them and mentioned that if someone were to take the time to decompile The DLLs that our software provides, they could find out our passwords from connection strings and the web address and SQL instance name on our Cloud server, but they don’t seem to care.
Some of our customers are very nice people. How bad is the security of our services and how at-risk is our data and clients data?