Security researcher Sanyam Jain has uncovered an unprotected Elasticsearch database that has been left publicly accessible without any authentication.
What was exposed?
The leaky database has exposed the personal information of almost 8 million people who had participated in online surveys, contests, and requests for free product samples.
Who is the owner of the database?
The security researcher noted that he came across many records that had a field with ‘userenroll.com’ domain in it. Jain learned that the domain belonged to an online marketing company named PathEvolution.
Jain then found out that PathEvolution was owned by a parent company named Ifficient. However, he could not contact the owner so he contacted Amazon who was hosting the database and notified them about the unsecured database.
The leaky database was finally secured on May 11, 2019, by Ifficient, after being contacted by Amazon.
“We received a single notification from Amazon and took necessary steps to address identified vulnerabilities, if any, within hours of being notified of the potential problem. Amazon referenced a far greater number of records exposed, but these records pertained to impression data and therefore included an extremely high number of duplicate records,” Ifficient said.
“According to nearly all applicable state data breach notification statutes, this information does not constitute personal information. Most notably, we don't capture or store SSN, drivers license or state ID numbers, or financial account or payment card numbers. Regardless, we are currently taking steps to notify individuals for whom data sets defined by the applicable state statutes to constitute personal information was stored. We'll also be offering identity monitoring services to those individuals,” Ifficient said, BleepingComputer reported.