Identity & Access Management , Security Operations

Silicon Valley VC Firm Leaked 'Deal Flow' Data

Plug and Play Ventures Left an Amazon S3 Bucket Open to the Internet
Silicon Valley VC Firm Leaked 'Deal Flow' Data
Plug and Play's headquarters in Sunnyvale, California

A Silicon Valley venture capital firm that runs a matchmaking service linking investors with startups exposed 6GB of data, including deal flow information pertaining to investors and startups.

See Also: Access Management Alone is Not Enough: Unified Identity Security Approach

The data belongs to Plug and Play Ventures, which is headquartered in Sunnyvale, California, and has offices around the world. Plug and Play helps startups get off the ground and matches those companies with investors. The firm says it has benefited from early investments in PayPal and Dropbox.

The leaked data appears to be a PostgreSQL database for, a networking and deal flow application from Plug and Play.

The unencrypted data includes personal contact information for investors, founders and CEOs. It includes personal information voluntarily submitted by those people to Plug and Play, including names, phone numbers and email addresses. There are more than 50,000 unique email addresses in the data.

The data includes usersnames, hashed passwords and affiliated account data.

In other parts of the data there are snippets of emails - such as the sender, recipient and subject line of an email - that were sent between staff at Plug and Play and other users. The content of those emails, however, doesn't appear to be in the data. The data appears to have been scraped from G Suite, which is now known as Google Workspace.

There was also an exposed API key, although it isn't clear what kind of data that unlocks. Also, usernames and password hashes were exposed. Plain-text passwords are hashed, which is the term for running a password through an algorithm. That cryptographic output is retained rather than the actual password, which is safer in case of a data breach. The hashes appear to be pbkdf2 SHA256.

ISMG found other documents, including a boarding pass and dozens of slide decks written by companies for investors, with at least one marked "confidential." There are also logs of IP addresses and what pages those addresses visited.

A boarding pass in the leaked Plug and Play data

The data would appear to give some clues as to what types of companies an investor may be interested in, which could perhaps give an edge in the ultra-competitive sphere of startup investment.

Exposed for a Year

The data appears to have been exposed to the public since Oct. 20, 2020, due to a misconfiguration of an Amazon S3 storage bucket, according to the researcher who found it. The researcher wishes to remain anonymous.

ISMG notified Plug and Play of the breach on Sept. 16. Syed Azhar, who is Plug and Play's chief information officer, responded on Sept. 17.

Some exposed information appears to have been parts of emails scraped from G Suite, now known as Google Workspace.

Despite the contact, the data exposure continued. Finally, by Oct. 2, the data was secured after a tweet the previous day by Australian security researcher Troy Hunt, who created the Have I Been Pwned data breach notification service.

It's unclear why there was a delay in securing the data. Azhar did not respond to a query as to whether Plug and Play will notify those in the breach or regulators.

Plug and Play's website has a privacy policy indicating that its U.S. operations fall under California law. California's data breach law requires notification of residents if their unencrypted personal information "was acquired, or reasonably believed to have been acquired, by an unauthorized person," according to the state's attorney general's office.

The company also has offices throughout the European Union, which means if there are E.U. residents in the breach, the General Data Protection Regulation would apply. That requires entities to report data breaches within 72 hours.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.