Newspaper Le Figaro has become the latest big name humbled by a human error-based data leak, after a cloud server was found to have exposed 7.4 billion records including readers’ personal information.
Researchers at Security Detectives led by Anurag Sen found the 8TB Elasticsearch database, hosted by a firm called Dedibox, wide open with no password protection.
Although the database belonged to Le Figaro, the server on which it was hosted was owned by Poney Telecom, which the researchers claimed “has a reputation for shady, unethical hosting practices and security issues, and is notorious for many online attacks that seem to originate from within its network of servers.”
The database contained API logs for the past three months, although it was built in March 2019. These logs contained records of new subscribers and previously subscribed users logging in during the period.
Exposed PII data included full names, emails, home addresses, countries of residence and post codes, IP addresses, server access tokens and passwords for new users both in cleartext and hashed with the unreliable MD5 algorithm.
This could provide hackers with a trove of information to launch follow-on phishing or identity fraud attempts. Users’ emails and passwords could also be used in credential stuffing attacks to access other online accounts.
An unspecified number of emails and names of reporters and employees were apparently also exposed in the privacy snafu
Security Detectives estimates at least 42,000 new users were affected by the leak.
The data trove may also have exposed the newspaper to further attacks, according to the researchers.
“The exposed database was an excellent asset for anyone trying to attack Le Figaro’s backend systems,” they said. “It could be leveraged in further cyber-attacks against the company, or to expose other flaws in their system, which could put both the company and its users at risk.”