An unsecured Elasticsearch server was recently found exposing around 320 million data records, including PII data records, that were collected from over 70 adult dating and e-commerce websites worldwide.
According to security researchers at vpnMentor who were tipped about the unsecured database by an ethical hacker, the database was 882GB in size and contained millions of records from adult dating and e-commerce sites such as the personal details of users, conversations between users, details of romantic interests, emails, and notifications.
The firm said the database was managed by Cyprus-based email marketing company Mailfire whose marketing software was installed in over 70 adult dating and e-commerce websites. Mailfire’s notification tool is used by the company’s clients to market to their website users and notify them of private chat messages.
The unsecured Elasticsearch database was discovered on 31st August and creditably, Mailfire took responsibility and closed public access to the database within hours after they were informed. Before the server was secured, vpnMentor researchers observed that it was getting updated every day with millions of fresh records taken from websites that ran Mailfire’s marketing software.
Aside from containing conversations between users of dating sites, notifications, and email alerts, the database also held deeply-personal information of people who used the affected sites, such as their names, age, dates of birth, email addresses, locations, IP addresses, profile pictures and profile bio descriptions. These details exposed users to dangers like identity theft, blackmail, and fraud.
The latest leak is very much similar to another massive data exposure discovered by vpnMentor in May this year. The firm found a misconfigured AWS S3 bucket that contained up to 845 GB worth of information obtained from at least eight popular dating apps that were designed by the same developer and had hundreds of thousands of users worldwide.
All the dating apps, whose records were stored in the AWS bucket, were built for people with alternative lifestyles and particular tastes and were named 3somes, CougarD, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, GHunt, and Herpes Dating. Data stored in the misconfigured bucket included users’ sexual preferences, their intimate pictures, screenshots of private chats, and audio recordings.
In September last year, researchers at WizCase discovered that Heyyo, an online dating app, stored the personal details of all of its 72,000 users in an unprotected Elasticsearch database that could be discovered using search engines. The database contained names, email addresses, country, GPS locations, gender, dates of birth, dating history, profile pictures, phone numbers, occupations, sexual preferences, and links to social media pages.
Around the same time, security researchers at Pen Test Partners discovered that dating app 3Fun, that allowed “local kinky, open-minded people” to meet and interact, leaked near real-time locations, dates of birth, sexual preferences, chat history, and private pictures of as many as 1.5 million users. The researchers said the app had “probably the worst security for any dating app” they’d ever seen.
Commenting on the latest exposure of private records of tens of thousands of people through an unsecured Elasticsearch database by Mailfire, John Pocknell, Sr. Market Strategist at Quest said these breaches seem to be happening far more frequently, which is concerning as databases ought to be an environment where organisations can have the most visibility and control over the data that they hold, and this type of breach should be one of the more easily avoidable.
“Organisations should ensure that only those users who need access have been granted it, that they have the minimum privileges necessary to do their job and wherever possible, databases should be placed on servers that are not directly accessible on the internet.
“But all of this is only really possible if organisations actually have visibility over their sprawling database environments. Years of being able to spin up databases at the drop of a hat have led to a situation where many organisations don’t have a clear picture of what they need to secure; in particular, non-production databases that contain personal data, let alone how they need to go about securing it. You cannot secure what you don’t know about, so until this fundamental issue is resolved, we will continue to see these avoidable breaches hit the headlines,” he added.