Misconfigured ElasticSearch Servers Exposed Private Data of over 82 Million Users.
A warning has been issued by Bob Diachenko, a HackenProof security researcher informing users in the US that around 73 gigabytes of data is identified in a “regular security audit” of publicly accessible servers on the Shodan IoT search engine.
According to the researcher, in total, three IPs containing identical Elasticsearch clusters exposed to public access were discovered. The unprotected server was indexed on Shodan on November 14.
See: 4,000 ElasticSearch servers found hosting PoS malware
The information contained in the server included “first name, last name, employers, job title, email, address, state, zip, phone number, and IP address,” explains Diachenko.
On the whole, the three IPs offered public access to the unsecure private database of nearly 56,934,021 million records but some had an additional index of records, which offered extra information such as “carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes.”
The number of extra records identified by researcher totals around 25 million. Thus, cumulatively, 82 million user records have been exposed to public access.
Conclusive information is not released yet, regarding who or what caused the exposure of such a massive amount of personal records. It is suspected that the data field’s source is very similar to the one that Data & Leads Inc., a leading data management company, uses.
Moreover, the company suffering the data exposure did not issue an official statement and took down its website along with the unsecure databases. Diachenko confirmed this as well:
“As of today, the database is no longer exposed to the public, however, it is unknown for how long it has been online before Shodan crawlers indexed it on November 14th and who else might have accessed the data.”
The exposed database was sent to Troy Hunt’s HaveIBeenPwned data breach indexing platform. Hunt’s website will also be sending data breach alerts to users, affirms Diachenko in a tweet.
“We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges,” posted Diachenko.
It is worth noting that Elasticsearch is a RESTful search and analytics engine that stores data in localhost bound installations by default so as to prevent unauthorized access. However, this is not the first time when Elasticsearch has exposed personal data of American citizens. In June this year, personal data of over 340 million Americans was left exposed on an Elasticsearch server.