A London-based cybersecurity vendor appears to have leaked a massive database of previously breached user information dating back seven years.
Researcher Bob Diachenko found the unsecured Elasticsearch instance on March 15. It contained two collections, one with 15 million records updating in real-time, and another containing nearly 5.1 billion.
UPDATE: Since the time of publishing, researcher Bob Diachenko has confirmed the company’s data and customer records were not exposed, as the incident involved only previously reported data breaches collections.
He claimed the data was well structured and featured hash type, leak date, password, email, email domain and source of the original breach. Passwords were hashed, encrypted and/or in plain text depending on the incident in question.
The data spanned several years of breaches, from 2012 to last year, and apparently included some notable scalps such as Adobe, Last.fm, Twitter, LinkedIn, Tumblr and VK.
According to Diachenko, the SSL certificate and reverse DNS record check revealed that the publicly available Elasticsearch instance was managed by UK security vendor.
Although the firm apparently didn’t reply to his initial security alert, the database was secured just an hour after it was sent.
“Even though most of the data seems to be collected from previously known sources, such large and structured collection of data would pose a clear risk to people whose data was exposed. An identity thief or phishing actor couldn’t ask for a better payload,” argued Diachenko.
“Fraudsters might target affected people with scams and phishing campaigns, using their personal information to craft targeted messages.”
Major data leaks of this sort are becoming increasingly common, as configuration errors lead to unintended consequences.
In November last year, Diachenko and researcher Vinny Troia discovered an exposed Elasticsearch server containing personal information on over one billion consumers harvested by two data enrichment firms.
A month later, a massive 890GB database containing over one million highly sensitive web browsing records was leaked by a South African IT company.
Also in December 2019, Diachenko found an unsecured Elasticsearch database containing over one billion “combo” lists of breached passwords and emails.