Bob Diachenko, the Director of Cyber Risk Research for Hacken, recently made a disturbing discovery. He found an ElasticSearch server open and vulnerable on the internet, without so much as a password to protect it.
Unfortunately, the server was leaking a staggering 73GB of data and had a number of databases cached inside the server’s memory. In one of those databases, Diachenko discovered more than 56 million records containing personally identifiable information belonging to US citizens around the country.
In the majority of cases, the exposed information was limited to:
- Full name
- Email address
- Street address (including Zip Code)
- Phone number or numbers
- IP addresses
Sadly, to an even moderately talented hacker, that’s more than enough information to fake someone’s identity. That means the data has real value on the Dark Web and may be being sold off as you read these words.
Another of the databases contained nearly twenty-six million records containing business information.
In this case, the exposed information included:
- Company name and brief description
- Zip codes and carrier routes
- Latitude and longitude coordinates
- Census tracts
- Website addresses
- Email addresses
- Employee headcounts
- Revenue numbers
- Phone numbers
- SIC codes
- NAICS codes
- And the like
Diachenko made the discovery on November 20th, but upon further research discovered that it had actually been indexed by Shoddan on November 14th. He was not able to determine who owned the exposed server, but based on a few breadcrumbs he did find, he concluded that it’s likely owned by the Canadian data firm “Data and Leads,” or that the company is at least indirectly connected to the server somehow.
The firm did not respond to inquiries made by Diachenko, or later, by ZDNet. Shortly after those requests for comment were made, the company’s website mysteriously went down.
The apparent cause of this breach is the same thing that’s caused other recent ElasticSearch breaches. In a shocking number of cases, admins don’t bother to set up passwords for their servers, which they later leave exposed on the internet. An easy problem to fix, but it begs the question: Are your servers password protected?