Approximately 49 million unique email addresses, as well as a large number of names, phone numbers, gender, and postal addresses, were exposed to public access after Israeli marketing agency Straffic left authentication credentials of an AWS Elasticsearch database containing 140GB of contact details online.
The massive leak of contact details was discovered by a DevOps engineer using the Twitter handle @_0m3n_. The engineer recently decided to investigate some web links that he received via spam texts and chanced upon a .env file on a web server that led him to an AWS Elasticsearch instance.
“I have been getting spam text messages for the past two years from random phone numbers with similar messages containing links to gibberish domains. I decided to take a look at one and found a .env file on the webserver of one of the domains in said messages which was a config file that pointed to an AWS Elasticsearch instance,” he told the Information Security Media Group.
Even though the Elasticsearch database was password-protected, the engineer used credentials stored in the config file to access its contents. Inside the database, he found 140GB worth of contact details of U.S. and European residents that included 49 million unique email addresses as well as names, phone numbers, gender and postal addresses of millions spanning 305 million rows of information.
“This incident is yet another example of an organisation siphoning up huge amounts of personal data with those in there (almost certainly) having no idea who the company is. Then leaving it all in a publicly accessible Elasticsearch instance,” noted security researcher Troy Hunt who ownes the breach notification website Have I Been Pwned?\
Israeli marketing agency says exposed database contained a security vulnerability
Straffic, the Israeli marketing agency that owned the Elasticsearch database, confirmed on Wednesday that it had identified a “security vulnerability” in one of its databases and that it can confirm the vulnerability did not result in any data misuse or data loss.
“We would like to bring to your attention that we have been reported that a security vulnerability has been found on one of the servers we use to provide our services. Following this report, we confirmed a weakness did exist and promptly patched it, in addition to fortifying our existing security protocols.
“As of now, all systems are secure and we did not find evidence of any data misuse or data loss. We continue to investigate and will notify if we find evidence to the contrary. Although we do our very best to protect the security of our service and deeply regret such a vulnerability has been found on our service, it is impossible to create a totally immune system, and these things can occur. We would like to express our gratitude for those of you who notified us, and ask that you help us keep our services safe,” the agency said.
Web servers containing customer data must be secured with Zero Trust CASB
Commenting on the exposure of contact details of millions of people via the leaked credentials, Raif Mehmet, Sales Director at Bitglass, told TEISS that since the web server containing the Elasticsearch instance was clearly accessible via the web and there was no network perimeter security challenging potential hackers, the best way to secure this type of service is with a Zero Trust CASB.
“Proxying all traffic to the server introduces a zero trust cloud which leads to contextually aware network access. All traffic to and from the server would also be scanned for DLP and malware stopping potentially dangerous vulnerabilities from being exploited until patched. File encryption could add another layer of security to all PII information. Techniques can also be used to search on the data by installing handles prior to encrypting the data,” he added.
According to Adam Brown, security solutions manager at Synopsys, the fact that an Israeli marketing agency stored and processed personal data of millions of Europeans could, in itself, be a major breach of privacy law if the company did not have the right to keep and process each one / any of those personal records.
“Privacy aside the reports states that this firm did have access control of some kind protecting this database, however the researcher effectively found the keys to the lock in another location that was left open. This is a little like locking your car and then leaving the keys under the wheel arch, but instead of the car being at risk of being stolen, the privacy rights of millions of individuals were at risk, and were stolen,” he added.