Security researchers have uncovered a massive 890GB database containing over one million highly sensitive web browsing records leaked by a South African IT company.
The Elasticsearch database, which was left online without any password protection, belonged to Conor, which has a range of big-name ISP and telco clients in Africa and South America, according to vpnMentor.
The unencrypted data trove related to a web filtering product the South African firm produced for these clients. Effectively this meant it revealed user activity logs for the previous two months, including website URLs, IP address, index names, and MSISDN codes which identify mobile users on a specific network.
These details include highly sensitive web browsing activity such as attempts to visit pornography sites, social media accounts, online storage including iCloud and messaging apps such as WhatsApp.
“Because the database gave access to a complete record of each user’s activity in a session, our team was able to view every website they visited – or attempted to visit. We could also identify each user,” the vpnMentor team explained.
“For an ICT and software development company not to protect this data is incredibly negligent. Conor’s lapse in data security could create real-world problems for the people exposed.”
If hackers had access to the leaked browsing data, exposed customers could find themselves targeted for blackmail and extortion due to the sensitive nature of the sites they may have visited.
That’s not to mention the reputational impact on Conor itself, among its client base, and the ISPs to whom end users would probably turn their ire in the event of a serious breach.
This is just the latest in a long line of exposed Elasticsearch databases revealed by vpnMentor as part of a major web mapping project designed to improve cloud security.
Erring brands have included cosmetics giant Yves Rocher, Canadian telco Freedom Mobile, and Best Western Hotels.