WeWork developers exposed customer contracts, some of which contained bank account details, and the personal and contact information of other potential customers to the open internet.
The issue impacts a subset of WeWork customers based in India, China, and Europe. The news comes after WeWork has essentially imploded, with its valuation tumbling and investor SoftBank having to embarrassingly bail the company out with a cash injection of $9.5 billion. Mass layoffs are happening this week.
For some of the impacted customers “it’s an incredibly sensitive OpSec [operational security] issue to have the remote address of some of their employees get leaked, especially when that location is a shared workplace,” said Mossab Hussein, a security researcher from Dubai-based cybersecurity firm spiderSilk, who flagged the multiple issues to Motherboard.
One issue involved a GitHub profile of a WeWork developer. One of their repositories contained a script that included the URLs of PDFs hosted on unprotected Amazon servers. These URLs did not require authentication to access, and Motherboard was able to scrape them en masse. Motherboard downloaded just over 160 PDFs, most of which appear to be contracts between WeWork and individual customers.
Do you work at WeWork? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Those include membership agreements with cybersecurity companies such as Palo Alto Networks and Tenable. The agreements contain phone numbers and addresses of individuals, and others have bank account information. Palo Alto declined to comment, and Tenable did not respond.
Hussein also found a web portal related to WeWork in India that leaked the phone number, email address, name, and other personal information of “leads.” Leads are likely people who indicated they were interested in renting space at WeWork.
WeWork removed the GitHub repo from the public internet shortly after Motherboard asked the company for comment. The Indian domain had already stopped leaking data by the time Motherboard visited it.
A WeWork spokesperson said in a statement "WeWork was recently alerted to two personal Github pages with public settings that linked to certain company confidential information and another instance in which an affiliated company had posted information regarding sales leads in a manner that was not authorized. We immediately initiated an investigation and took steps to limit access to the information. We take our members' security and privacy very seriously, and we regret any concern this may cause."