Misconfigured ElasticSearch server exposes 73 GB data of 57 million US citizens
- The compromised information includes first names, last names, employer IDs, job titles, email addresses and more.
- The same server also contained a second cached database containing more than 25 million records belonging to ‘Yellow Pages’.
An unprotected ElasticSearch server that contained the personal information of nearly 57 million US citizens was left publicly exposed online for almost two weeks. The data was stored on the server without a password.
The leaky server was identified by Bob Diachenko, Director of Cyber Risk Research at Hacken on November 20, 2018. He discovered the breach during a regular security audit of unsecured servers, which are indexed by Shodan.
Upon investigation, it was found that the server was leaking over 73GB data that belonged to 56,934, 021 US residents. The information exposed in the breach includes first names, last names, employer IDs, job titles, email addresses, physical addresses, state, ZIP codes, phone numbers and IP addresses.
Although the leaky server was discovered by Diachenko on November 20, the researcher believes that it remained publicly accessible since November 14. The researcher also discovered that the same server also contained a second cached database containing more than 25 million records belonging to ‘Yellow Pages’.
The data leaked via this database included information such as names, company details, ZIP codes, carrier routes, latitude/longitude, census tracts, phone numbers, web addresses, emails, employee count, revenue numbers, NAICS codes, SIC codes and more.
It is unclear whether a third-party vendor or a threat group was involved in the breach. However, Diachenko believes that a data management company Data & Leads Inc might be behind the attack.
“While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives,” said Diachenko in the blog post.
The unprotected server has currently been taken down and the leaky databases are no longer available to the public. Diachenko has provided a copy of the exposed information to data breach index service ‘Have I Been Pwned’. Users can check if their data has been affected or not by visiting the site.