A massive database holding more than 114 million records of U.S. citizens and companies was discovered online and unprotected. The resulting data leak is estimated to affect about 83 million people.
Security researchers at HackenProof found the unsecured 73 gigabytes of data during a regular security audit of publicly available servers they were doing with the Shodan search engine, they said in a blog post. HackenProof connects companies with “white hat” hackers to help find vulnerabilities in their networks.
The root of the issue allowing the database to be open and available online was apparently a misconfiguration of Elasticsearch instances permitting public access to the data without authentication, researchers said. Elasticsearch is a search solution used by e-commerce sites and online merchants to present appropriate goods and services based on customer search queries.
“An open Elasticsearch instance exposed personal info of 56,934,021 U.S. citizens, with information such as first name, last name, employers, job title, email, address, state, zip, phone number and IP address,” researchers said in the post. They found at least three IPs with the identical Elasticsearch clusters misconfigured for public access, the first of which was indexed by Shodan on November 14.
Major data exposure, major risk
One instance of the database contained more than 25 million records accompanied by a “Yellow Pages” directory of sensitive company information, including name, addresses including ZIP codes, Web address, employee count, revenue numbers and e-mail addresses, researchers said.
Leaving so much data unsecured on the Internet can be damaging to companies or individuals involved, as it’s practically inviting bad actors to take advantage of it, Gavin Reid, chief security architect at Recorded Future told Security Ledger.
“These leaks become the feeding ground for the criminal underground,” he said. “We have multi-million dollar criminal enterprises that rely on and then capitalize on exposures of private data like this.”
HackenProof said the source of the leak was not “immediately identifiable,” noting, however, that the structure of the field “source” in data fields is similar to those used by a data management company Data & Leads Inc. Researchers were unable to reach company representatives, they said.
While the database discovered by HackenProof is no longer online and accessible to the public, that doesn’t mean the danger has passed for those whose information was exposed, researchers said.
“It is unknown for how long it has been online before Shodan crawlers indexed it on November 14th and who else might have accessed the data,” they wrote in the post.
History repeats itself
You’d think by now–with companies knowing well the danger of exposing sensitive business and customer data publicly–that data leaks like this would be a thing of the past, but they continue to happen at an alarmingly frequent basis.
Sometimes even companies in charge of managing other people’s data even slip up and inadvertently expose sensitive data online. That was the case earlier this year when data-management firm Veeam exposed more than 440 million e-mail addresses and other types of customer information.
The Veeam mishap also was due to a misconfigured system–in that case, a server–showing how crucial it is that companies check and double check their networks and systems to ensure they aren’t giving bad actors easy access to data by mishandling it, said Tom Garrubba, senior director of Shared Assessments, a risk-management firm.
“This is of course a major data breach,” he said of the database discovered by HackenProof. “We cannot stress enough of the importance of established checks and balances, segregation of duties, etc., to be defined in procedures and followed with appropriate sign-offs by management.”
Indeed, with bad actors and state-sponsored cyber criminals upping their games, it’s more important than ever to ensure such misconfigurations and other security missteps–either inside the company or with partners–don’t jeopardize company data or systems, concurred Michael Magrath, director of global regulations and standards for security firm OneSpan Inc.
“Cyberattacks will continue,” he said, “and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk- based fraud detection technologies in their organizations, but also make sure all third party partners have equal cybersecurity measures in place.”