Data Breach on google

  • Resolved bladetwick

    (@bladetwick)


    5 years, 7 months ago

    Hi

    This is to let you know we have followed up with the plug-in in question of the breach.
    We will reply to your support email to make the “Make bookings private” with the free version as this is sending customer data to google and it’s against GDPR rules:

    To NextGen gallery plug-in:
    Hi
    We received a customer report of data breach via our wordpress plug-in fivestar booking system https://en-gb.ww.wp.xz.cn/plugins/restaurant-reservations/

    Next gen was able to read the booking name, email, phone number and booking details and published on google under the following link: https://brouge.co.uk/ngg_tag/brouge-twickenham which sent you to a list of our images and it opened a pop up to print those images automatically.

    We have since removed the NextGen galley plug-in and blocked access to the ngg_tag file – awaiting google update of our site index, hopefully those details will disappear.
    We found other customer details on the same breach on google. We have image of this to prove the breach.

    We sent the image to FiveStarPlugins and their response was to make the bookings private (not available on the free version) and to make the WP page private – which is not possible as data is stored on the plug in. We will follow this up further.

    Can you please tell us how these details were published on google via NextGen Gallery however?
    Is there a possible breach that needs looking at?

    We look forward to your response

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support jaysupport

    (@jaysupport)

    5 years, 7 months ago

    Hi Blade,

    Sorry for any issues you are having related to our plugin. Would you perhaps be able to clarify what the exact issue is, and how the NextGen Gallery is involved?

    Are you saying there is an issue presenting itself in the NextGen gallery, and which you think something from our plugin is responsible for?

    Or are you saying that the same issue is presenting itself in both our plugin and that plugin?

    The URL you referenced is not created by our plugin, so I’m not sure how you mean to say our plugin is involved or related to it. Were you trying to include the view bookings form in a NextGen gallery, or something like that? Or include a NextGen gallery on the view bookings form page?

    As far as placing the view bookings form from our plugin on a private page, that should be as simple as making the page private in your WordPress. I think perhaps you misunderstood our explanation in the email. What we meant to say is that you can make any page in your WordPress private. This is not something from our plugin, but from WordPress itself. For this, just go to the “Pages” section in your WordPress admin, open up/edit the page you put the form on, and set the visibility to private. You can find more info about this here: https://ww.wp.xz.cn/support/article/content-visibility/#private-content

    Furthermore, if you’re concerned about what content Google is crawling on your site, you may want to do some research into using your robots.txt file to disallow parts of (or the whole of) your site from being crawled. A good introduction to this subject can be found here: https://support.google.com/webmasters/answer/6062608

    There are also plugins that help with setting up the robots.txt file and disallowing crawling.

    Thread Starter bladetwick

    (@bladetwick)

    5 years, 7 months ago

    Hi Jay.
    Just trying to get to the bottom of it really.

    Alex from your support has emailed promptly, thank you for that, and I have responded that the free version does not allow for the VIEW BOOKINGS PAGE section to be accessed, the row is blank anyhow and no page exists for the bookings data.
    I can view bookings from the plug-in dashboard only.

    So:
    Customers details, booking times, their email and phone number have been crawled by google and shown on a NextGen gallery link. (Alex has a link and screenshot).

    I have since deleted NextGen plug-in, updates robots.txt file, deleted customer data, checked google crawl links so the details should disappear on next crawl.

    I have today posted on NextGen support here on .org and thought your plug-in might need to be looked also as it’s the data from here that’s being transmitted.
    The bookings are kept on the dashboard of the plug-in so how come they have ended up on google?
    We can get in real trouble with the new gdpr rules so might be worth looking at it.

    I have searched other names from bookings and found more of the same links on google.

    I hope I have eliminated the possible breach by NextGen gallery plug-in by deleting it and taking other necessary steps to secure our data.

    I will need to confirm to our customer when their details have been removed from google, so might be reassuring to know that you have also carried out necessary checks to ensure data will be kept safe. Maybe allow the make bookings private section on the free version?

    I have been using the plug-in for a month on the trial basis, we do need a booking system however I would need some reassurance if I was to consider upgrading to the full version.

    Thank you.

    Happy to delete the post when resolved as this is more of feedback rather than criticism however the fact remains that booking details ended up on google

    Plugin Support jaysupport

    (@jaysupport)

    5 years, 7 months ago

    No booking data from the admin is ever displayed on the front end of your site, and the view bookings form itself is never displayed unless you explicitly enable or place it somewhere on your site. It is not enabled by default.

    If you don’t remember adding the view bookings form to your site, then I’m thinking that maybe you activated the premium trial at one point and set it up during that time. Since discussion of the premium version is not allowed in these forums, we’ll follow up in the email thread you started and explain how this could be the case.

    • This reply was modified 5 years, 7 months ago by jaysupport.
    • This reply was modified 5 years, 7 months ago by jaysupport.
    • This reply was modified 5 years, 7 months ago by jaysupport.
    Thread Starter bladetwick

    (@bladetwick)

    5 years, 7 months ago

    No problem.

    Thank you again for the prompt response

    • This reply was modified 5 years, 7 months ago by bladetwick.
Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Data Breach on google’ is closed to new replies.