An unprotected database on the Elasticsearch server was recently found by security researchers containing detailed personal records of as many as 57 million U.S. citizens and another index of the same database contained 25 million additional data records.
The said database was not protected by a password and could be accessed by anyone with an Internet connection. It was spotted by security researcher Bob Diachenko during a regular security audit of publicly available servers with the Shodan search engine.
Elasticsearch database exposed personal details of millions
According to Diachenko, the unprotected Elasticsearch database contained first names, last names, employers, job titles, email addresses, home address, state, zip, phone numbers, and IP addresses of 56,934,021 US citizens and another index of the same database contained over 25 million data records including names, company details, zip addresses, carrier routes, latitude/longitudes, census tracts, phone numbers, web addresses, email addresses, employees count, revenue numbers, NAICS codes, and SIC codes.
He added that the structure of the field ‘source’ in data fields was similar to those used by a data management company Data & Leads Inc but the firm’s website went offline shortly before the details of the breach were published.
“This is an astounding amount of data to be left unprotected online, leaving 83 million Americans vulnerable. It goes to show that while we have made significant steps in data protection in recent years, we have a long way to go. Not only the volume but the content of the data available means that hackers have a wide variety of avenues from which to approach potential victims in order to attempt a social engineering campaign.
“Organisations are also left wide open by this data, which could facilitate BEC fraud and the serious financial consequences associated with it. American companies and consumers should (as always) be exercising extreme caution when responding to unsolicited emails, and clicking on email links,” said Corin Imai, senior security advisor at DomainTools.
Commenting on the discovery of a large protected database containing records of millions of individuals, Tim Erlin, VP of Tripwire, told TEISS that if unsecured data is left unprotected on the Internet, it will eventually be discovered and either exploited, reported or both. Discovering the data is the first step, but identifying the responsible organisation or individual will come next. We should all be waiting for the other shoe to drop on this story.
“Technology can solve a lot of problems, but security still requires a careful review and implementation of the basics. These types of incidents don’t require sophisticated hackers or nation-state cyberwar budgets. Anyone with the time and an Internet connection can find this data,” he warned.
Last week, Diachenko had unearthed another unprotected cloud database hosted by data aggregator Adapt that contained over 9.3 million data records, including personal data as well as job descriptions of millions of individuals.
The database contained as many as 9,376,173 personal data records that included first and last names, phone numbers, name of the companies where the individuals were employed, job titles, job descriptions, list of company domains, industry, company revenue, email confidence scores, total contacts available in the company, and emails of every contact in the company.