Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:30 PM
Connect Directly

Data Leak Week: Billions of Sensitive Files Exposed Online

A total of 2.7 billion email addresses, 1 billion email account passwords, and nearly 800,000 applications for copies of birth certificate were found on unsecured cloud buckets.

Revelations this week of separate data exposure incidents — a billion passwords displayed in plaintext as well as hundreds of thousands of US birth certificate applications — shared a common thread: unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.

An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches. Organizations literally aren't locking down their cloud servers, researchers are finding them en masse, and it's likely cybercriminals and nation-state are as well. Misconfigured online storage has led to an increase of 50% in exposed files this year over 2018, according to data from Digital Shadows published in May. 

"Cloud services are inexpensive ways to do things we've done expensively for years, so it makes sense why so many people are moving their resources to the cloud. The problem is that it's still far too easy to make mistakes that expose all your data to the Internet," says John Bambanek, vice president of security research and intelligence at ThreatStop.

Security researcher Bob Diachenko last week discovered a massive ElasticSearch database of more than 2.7 billion email addresses, 1 billion of which included passwords in plaintext. Most of the stolen email domains were from Internet providers in China, such as Tencent, Sina, Sohu, and NetEase, although there were some Yahoo, Gmail, and Russian email domains as well. The pilfered emails that came with the passwords were confirmed to be part of a previous massive breach from 2017, when a Dark Web vendor had them for sale.

The ElasticSearch server was hosted at a US-based colocation service, which on Dec. 9 took down the server after Diachenko reported it. It had sat wide open and searchable, with no password protection, for at least one week.

"In terms of numbers, this is perhaps the biggest thing I've seen" in exposed records, says Diachenko, cyber threat intelligence director at SecurityDiscovery.com, who has unearthed multiple data exposures since 2018, including a database of 275 million personal records of Indian citizens this past May. "What's interesting about [this latest] particular exposure is that it was stored in a public cluster, and it seemed the data has been [updating] in real time."

Diachenko says he wasn't able to verify each email as valid and active, but he did cross-reference some with previously reported breaches he had found. He says it's unlikely many of the victims are aware of the breach. "The chances are high these email accounts are still vulnerable," he says, because users in that region often are not alerted to a breach and services to check email compromises can be blocked by China's Great Firewall. He teamed up with Comparitech to study the exposed data.

It's unclear for sure just who was behind the database — cybercriminals or even security researchers — but either way, the configuration oversight was a blatant security misstep. ElasticSearch offers security options, Diachenko notes, but this example and others are just another example of how many organizations ignore or overlook securing cloud storage.

One clue he found: The owners of the database had hashed the stolen email addresses with MD5, SHA1, and SHA256 hashes of each address, which Diachenko believes was for ease of search purposes in the database. "My best shot is that somebody just bought it and was trying to start a searchable database for I don't know what reasons," he says. "And ElasticSearch was misconfigured and became publicly available."

Another Badly Built Bucket
Meanwhile, researchers at Fidus Information Security, a UK-based penetration testing firm, separately discovered nearly 800,00 online applications for copies of US birth certificates on an exposed AWS S3 storage bucket belonging to a firm that provides a service for obtaining copies of birth and death certificate copies. The bucket had no password protection, so the database was open to anyone who found it.

Interestingly, the storage bucket's trove of 94,000 death certificate copy applications was not accessible, according to TechCrunch, which reported this week that it had verified the records for Fidus. 

Data included in the birth record applications, which dated back to late 2017, ranges from names, birthdates, addresses, email addresses, phone numbers, and other personal data, TechCrunch found.

Andrew Mabbitt, director of Fidus, says his firm found the data while working on an AWS S3 project. "The bucket was configured for complete world readable access — allowing anybody with the URL to obtain a full list of all files," Mabbitt says.

The server — and data — still remain exposed. "We contacted the company numerous times and got no response at all. We contacted the Amazon AWS security team, who thanked us for the report and said they would pass it on to the bucket owner," he says. "I assume this was done, but their email to the owner was ignored, too."

Misconfigured and exposed data sitting on the public Internet is ripe for fraud and identity theft. Attackers can use email addresses for targeted phishing or use personally identifiable information to hack bank or other valuable accounts as well.

Anurag Kahol, CTO of Bitglass, recommends organizations ensure they have full knowledge and visibility of customer data. He also advises they employ real-time access control, encryption of at-rest data, and can detect any misconfigured cloud security settings.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security 101: What Is a Man-in-the-Middle Attack?"

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/12/2019 | 2:55:40 PM
Unfortunately, this article could be reposted many different times throughout the year
It's truly like the movie Groundhog Day, same story seems to repeat itself...maybe a different agency, company or service provider are hit. But, the result is the same...
[email protected],
User Rank: Moderator
12/11/2019 | 11:46:48 AM
Data Leak Week: Billions of Sensitive Files Exposed Online
Great article, very well laid out. May ask I if you would consider writing an article on the number of entry level cybersecurity professionals that can't get hired because companies are grabbing CS pros from other businesses. Which inturn feeds appears to be fueling the false narrative of a skills gap and shortage. As an aspiring, studying for AWS certs, CS candidate, I can tell you this breach was avoidable. Whomever configured the IAM accounts failed to properly set least privilege and improper security group roles. If the went on form a week it also appears no one was doing an account review. This breach was avoidable.
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.