Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/10/2019
06:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Data Leak Week: Billions of Sensitive Files Exposed Online

A total of 2.7 billion email addresses, 1 billion email account passwords, and nearly 800,000 applications for copies of birth certificate were found on unsecured cloud buckets.

Revelations this week of separate data exposure incidents — a billion passwords displayed in plaintext as well as hundreds of thousands of US birth certificate applications — shared a common thread: unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.

An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches. Organizations literally aren't locking down their cloud servers, researchers are finding them en masse, and it's likely cybercriminals and nation-state are as well. Misconfigured online storage has led to an increase of 50% in exposed files this year over 2018, according to data from Digital Shadows published in May. 

"Cloud services are inexpensive ways to do things we've done expensively for years, so it makes sense why so many people are moving their resources to the cloud. The problem is that it's still far too easy to make mistakes that expose all your data to the Internet," says John Bambanek, vice president of security research and intelligence at ThreatStop.

Security researcher Bob Diachenko last week discovered a massive ElasticSearch database of more than 2.7 billion email addresses, 1 billion of which included passwords in plaintext. Most of the stolen email domains were from Internet providers in China, such as Tencent, Sina, Sohu, and NetEase, although there were some Yahoo, Gmail, and Russian email domains as well. The pilfered emails that came with the passwords were confirmed to be part of a previous massive breach from 2017, when a Dark Web vendor had them for sale.

The ElasticSearch server was hosted at a US-based colocation service, which on Dec. 9 took down the server after Diachenko reported it. It had sat wide open and searchable, with no password protection, for at least one week.

"In terms of numbers, this is perhaps the biggest thing I've seen" in exposed records, says Diachenko, cyber threat intelligence director at SecurityDiscovery.com, who has unearthed multiple data exposures since 2018, including a database of 275 million personal records of Indian citizens this past May. "What's interesting about [this latest] particular exposure is that it was stored in a public cluster, and it seemed the data has been [updating] in real time."

Diachenko says he wasn't able to verify each email as valid and active, but he did cross-reference some with previously reported breaches he had found. He says it's unlikely many of the victims are aware of the breach. "The chances are high these email accounts are still vulnerable," he says, because users in that region often are not alerted to a breach and services to check email compromises can be blocked by China's Great Firewall. He teamed up with Comparitech to study the exposed data.

It's unclear for sure just who was behind the database — cybercriminals or even security researchers — but either way, the configuration oversight was a blatant security misstep. ElasticSearch offers security options, Diachenko notes, but this example and others are just another example of how many organizations ignore or overlook securing cloud storage.

One clue he found: The owners of the database had hashed the stolen email addresses with MD5, SHA1, and SHA256 hashes of each address, which Diachenko believes was for ease of search purposes in the database. "My best shot is that somebody just bought it and was trying to start a searchable database for I don't know what reasons," he says. "And ElasticSearch was misconfigured and became publicly available."

Another Badly Built Bucket
Meanwhile, researchers at Fidus Information Security, a UK-based penetration testing firm, separately discovered nearly 800,00 online applications for copies of US birth certificates on an exposed AWS S3 storage bucket belonging to a firm that provides a service for obtaining copies of birth and death certificate copies. The bucket had no password protection, so the database was open to anyone who found it.

Interestingly, the storage bucket's trove of 94,000 death certificate copy applications was not accessible, according to TechCrunch, which reported this week that it had verified the records for Fidus. 

Data included in the birth record applications, which dated back to late 2017, ranges from names, birthdates, addresses, email addresses, phone numbers, and other personal data, TechCrunch found.

Andrew Mabbitt, director of Fidus, says his firm found the data while working on an AWS S3 project. "The bucket was configured for complete world readable access — allowing anybody with the URL to obtain a full list of all files," Mabbitt says.

The server — and data — still remain exposed. "We contacted the company numerous times and got no response at all. We contacted the Amazon AWS security team, who thanked us for the report and said they would pass it on to the bucket owner," he says. "I assume this was done, but their email to the owner was ignored, too."

Misconfigured and exposed data sitting on the public Internet is ripe for fraud and identity theft. Attackers can use email addresses for targeted phishing or use personally identifiable information to hack bank or other valuable accounts as well.

Anurag Kahol, CTO of Bitglass, recommends organizations ensure they have full knowledge and visibility of customer data. He also advises they employ real-time access control, encryption of at-rest data, and can detect any misconfigured cloud security settings.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security 101: What Is a Man-in-the-Middle Attack?"

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
bwilkes8@gmail.com
50%
50%
[email protected],
User Rank: Moderator
12/11/2019 | 11:46:48 AM
Data Leak Week: Billions of Sensitive Files Exposed Online
Great article, very well laid out. May ask I if you would consider writing an article on the number of entry level cybersecurity professionals that can't get hired because companies are grabbing CS pros from other businesses. Which inturn feeds appears to be fueling the false narrative of a skills gap and shortage. As an aspiring, studying for AWS certs, CS candidate, I can tell you this breach was avoidable. Whomever configured the IAM accounts failed to properly set least privilege and improper security group roles. If the went on form a week it also appears no one was doing an account review. This breach was avoidable.
smtaylor12
50%
50%
smtaylor12,
User Rank: Author
12/12/2019 | 2:55:40 PM
Unfortunately, this article could be reposted many different times throughout the year
It's truly like the movie Groundhog Day, same story seems to repeat itself...maybe a different agency, company or service provider are hit. But, the result is the same...
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.