Content

ElasticSearch server exposed data of nearly 57M U.S. residents

An ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password.

On November 20, 2018, Bob Diachenko, director of cyber risk research for Hacken, which also discovered the Kars4Kids leak, discovered the breach while conducting a security audit of publicly available servers with the Shodan search engine, according to a Nov. 28 blog post.

The data base was first indexed by Shodan on November 14, 2018 and contained the information including first and last names, employers, job titles, email, addresses, state, zip codes, phone numbers, and IP addresses. Diachenko also reportedly discovered a second cached database named "Yellow Pages," which reportedly held an additional 25,917,820 records, which appeared to be business entries. 

It’s unclear if any of these entries belonged to Urban Massage which also suffered a similar breach dealing with an ElasticSearch server which wasn’t password protected.

The source of the leak wasn’t immediately identifiable however, Diachenko was able to trace the breach back to management company Data & Leads Inc. due to the structure of the field "source." The database is no longer exposed as of today.

CloudKnox Security CEO Balaji Parimi noted the similarity between ElasticSearch server incidents and the abundance of Amazon S3 buckets that are left insecure which create opportunities for data leakage.

“That’s why it’s so important for organizations to understand who have the privileges that can lead to these types of issues and proactively manage those privileges to reduce risk exposure,” Parimi said. “Overprivileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges.”

Experts agree, Tim Erlin, vice president of product management and strategy at Tripwire, noted that discovering the data is the first step, but identifying the responsible organization or individual will come next.

“Technology can solve a lot of problems, but security still requires a careful review and implementation of the basics,” Erlin said. “These types of incidents don’t require sophisticated hackers or nation-state cyberwar budgets. Anyone with the time and an Internet connection can find this data.”

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.