An Elasticsearch server is currently scraping posts and public account information on Mastodon users. So far, information of over 150,000 Mastodon has been scraped and the process is ongoing. But what’s worse, the server is exposing the logged records to public access without any security authentication.
This means that anyone with knowledge of exploring the Shodan search engine can access the information without the need for login credentials.
It is worth noting that the exposed server belongs to a third party and is not affiliated with any of the official Mastodon servers.
This was exclusively confirmed to Hackread.com by Anurag Sen, a prominent independent security researcher known for identifying misconfigured databases and cloud servers.
Mastodon Scraped Data
The server is actively scraping information from Mastodon users. According to Sen, he found the server on November 15th, 2022 however it is unclear for how long it has been logging users’ information.
As seen by Hackread.com, this information includes the following:
- Account name
- Display names
- Profile pictures
- Following Count
- Follower Count
- Last Status Update
The good news is that there are no email addresses or passwords involved. However, Mastodon users should remain cautious and careful with what they share about themselves in public posts or in their profile bio.
The bad news is that Sen could not identify the owner of the misconfigured server. Therefore, there is no one to contact and the data will likely increase in the coming days.
This incident reminds us of the Clubhouse app when, in April 2021, a crook published data of 1.3 million Clubhouse users on Raidforums, a now-seized cybercrime forum. Or Gettr, whose scraped data of 87,000 users was leaked online in July 2021.
What is Mastodon?
Simply put, Mastodon is Twitter’s alternative for those who are not fond of the uncertain policies of its new owner, Elon Musk. Technically, Mastodon is a decentralized, open-source social network. It was launched in 2016 by programmer and entrepreneur Eugen Rochko.
Mastodon is similar to other social networks like Twitter and Facebook, but it has some key differences. For one, Mastodon is decentralized, meaning that there is no central server that controls the network. This makes Mastodon more resistant to censorship and manipulation.
Another key difference is that Mastodon is open-source software. This means that anyone can contribute to the development of the software, and there are no proprietary algorithms or secret code bases.
What is Web Scraping?
Web scraping is the process of extracting data from websites. It can be done manually by a user, but it is more commonly done using automated tools. Automated web scraping tools can extract data from multiple web pages and store it in a format that can be used for further analysis.
Web scraping can be used to collect data about products, prices, reviews, and more. It can also be used to automatically fill out forms or to scrape the contact information from websites.