Thanks to @0m3n, a security researcher from San Diego, the database did not go into the hands of parties with malicious intent.
Israeli marketing company Straffic has leaked personal sensitive data of millions of unsuspecting users mostly from the US and European countries – The leak took place due to a misconfigured Elasticsearch database.
Unlike other data breaches involving search engine software Elasticsearch, where databases are accessible without a password due to misconfiguration, the database was protected in this case. However, the password to access the database was in a plaintext file exposed to the public on another domain.
Originally, the database was identified by a security researcher “@0m3n” who gained access to 140 GB worth of records. This included 49 million unique e-mail addresses, names, gender, telephone numbers and addresses of Americans and Europeans.
How Straffic obtained the data is unknown but in response, the company stated that a vulnerability was found on one of the servers and that the problem has since been resolved. However, Troy Hunt of Have I Been Pwned who confirmed the breach criticized the company and said that:
“Their breach disclosure notice is also, without doubt, one of the worst I’ve ever seen. It contains absolutely nothing of substance including when the incident happened, how it happened nor how they’re communicating with impacted individuals.”
Hunt further tweeted that “This incident is yet another example of an organization siphoning up huge amounts of personal data with those in there (almost certainly) having no idea who the company is. Then leaving it all in a publicly accessible Elasticsearch instance.”
The e-mail addresses have since been added to Have I Been Pwned. Of the 49 million leaked e-mail addresses, 70 percent were already known to the search engine via another data breach.
This, however, is not the first time when a database on Elasticsearch was exposed to the public. In November 2019, 4 terabytes of personal records were leaked online – All that without any password.
In another incident, personal and tax records of 20 million Russians were also leaked online. Last month, another Elasticsearch database was exposed and leaked personal data of millions of Americans from a computer in China.