Digital Point exposed the data on a misconfigured Elasticsearch database.
The self-proclaimed world’s biggest webmaster forum and marketplace for web services, Digital Point is yet another entity in the line of fire. Jeremiah Fowler, a security researcher and co-founder of Security Discovery along with WebsitePlanet discovered an unprotected Elasticsearch database belonging to Digital Point that exposed 863,412 user’s data and information.
Digital Point located in San Diego, California provides a range of services including Search Engine Optimization (SEO), analytics, advertising and even letting people buy and sell websites. Besides this, the huge marketplace brings together, freelancers, service providers, and marketers together.
Security and data breaches have become an everyday occurrence. For users whose data has been exposed, feel violated, targeted, and frustrated, to say the least. Pertaining to this incident, the user’s name, email address. Internal IDs and records and user posts have been exposed.
This is a rather critical mistake on the company’s part especially when your clientele is spread across the globe, just as Digital Point claims. Loss of reputation and customers and subsequent litigation can ensue a serious impact.
However, Fowler, discovered that the non-password protected Elasticsearch database was readily open and visible on any publicly accessible browser. If in the wrong hands, the data could have easily been edited, downloaded, or deleted without any administrative credentials in pursuit.
Such data exposition can easily be targeted for email phishing campaigns and other fraudulent activities. Not only this, but sensitive information posits a treasure trove for threat actors who can use it for impersonation, domain hijacking, and blackmail as well.
In the case of Digital Point, user posts including those which were rather reported to admins and flagged were exposed openly. Many users wrote detailed and legitimate descriptions of issues with sellers, bad business dealings, and spam reports. Nonetheless, such reports are anonymously reported for a reason and it is highly unlikely if anyone would want this to be publicly exposed.
In a blog post, Fowler revealed that
We sent a responsible disclosure notice of the data incident as soon as the database was discovered on July 1st. Public access to the data was restricted within hours after the notification. However, no one from Digital Point ever replied to the initial data exposure notice or a followup request. We have not received any comment or reply from Digital Point at the time of this publication.
This is just the blip on the radar. With data breaches, time is of the essence. Besides being at the risk of ransomware, the probability of the database being wiped by Meow bot is high as well. Unprotected databases are sitting ducks for threat actors.
Nevertheless, a disclosure alert was sent by the security researcher to Digital Point immediately after the database vulnerability was discovered on 1st July. Although public access was restricted within hours, however, no one from the company either contacted or ensued a follow-up request.
Previous findings by Fowler
This is not the first time when Fowler and his research team have identified an exposed database and protected the privacy of millions of unsuspected users by informing the affected company. Previously, the researcher identified 440 million records belonging to Cosmetic giant Estée Lauder that were available to the public without any security authentication.
In another similar incident, Fowler reported 2.5 million sensitive medical records exposed by a New York-based artificial intelligence company called Cense.
The incident should not come as a surprise since misconfigured databases have exposed billions of sensitive records in the last couple of years. In fact, the situation is so critical that according to a new poll, database configuration errors are the number one threat to cloud security.