ElasticSearch server exposed data of nearly 57M U.S. residents

An ElasticSearch server database containing the information of nearly 57 million U.S. residents was found to have been left exposed without a password.

On November 20, 2018, Bob Diachenko, director of cyber risk research for Hacken, which also discovered the Kars4Kids leak, discovered the breach while conducting a security audit of publicly available servers with the Shodan search engine, according to a Nov. 28 blog post.

The data base was first indexed by Shodan on November 14, 2018 and contained the information including first and last names, employers, job titles, email, addresses, state, zip codes, phone numbers, and IP addresses. Diachenko also reportedly discovered a second cached database named "Yellow Pages," which reportedly held an additional 25,917,820 records, which appeared to be business entries. 

It’s unclear if any of these entries belonged to Urban Massage which also suffered a similar breach dealing with an ElasticSearch server which wasn’t password protected.

The source of the leak wasn’t immediately identifiable however, Diachenko was able to trace the breach back to management company Data & Leads Inc. due to the structure of the field "source." The database is no longer exposed as of today.

CloudKnox Security CEO Balaji Parimi noted the similarity between ElasticSearch server incidents and the abundance of Amazon S3 buckets that are left insecure which create opportunities for data leakage.

“That’s why it’s so important for organizations to understand who have the privileges that can lead to these types of issues and proactively manage those privileges to reduce risk exposure,” Parimi said. “Overprivileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges.”

Experts agree, Tim Erlin, vice president of product management and strategy at Tripwire, noted that discovering the data is the first step, but identifying the responsible organization or individual will come next.

“Technology can solve a lot of problems, but security still requires a careful review and implementation of the basics,” Erlin said. “These types of incidents don’t require sophisticated hackers or nation-state cyberwar budgets. Anyone with the time and an Internet connection can find this data.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.