An Elasticsearch instance containing over 5 billion records of data leaked in previous cybersecurity incidents was found exposed to anyone with an Internet connection, Security Discovery reports.
The database was identified as belonging to UK-based security company Keepnet Labs, which focuses on keeping organizations safe from email-based cyber-attacks. It contained data leaked in security incidents that occured between 2012 and 2019.
The Elasticsearch instance, Security Discovery’s Bob Diachenko reveals, had two collections in it: one containing 5,088,635,374 records, and another with over 15 million records. This second collection was being constantly updated.
According to the security researcher, the data was well structured and included the hashtype, leak year, password (hashed, encrypted or plaintext, depending on the leak), email, email domain, and source of the leak.
Diachenko said he was able to confirm leaks originating from Adobe, Last.fm, Twitter, LinkedIn, Tumblr, VK and others.
The researcher immediately alerted Keepnet Labs, which took the database offline within an hour.
Most of the data, Diachenko says, appears to have been collected from previously known sources, but unrestricted access to such a collection would still represent a boon for cybercriminals, providing them with a great resource for phishing and identity theft.
“This massive collection of over five billion records delivers email addresses that can be used by criminals to send socially engineered phishing email scams. The criminals can craft the email with information relating to the breach it was associated with,” James McQuiggan, security awareness advocate at KnowBe4, told SecurityWeek in an emailed comment.
Responding to a SecurityWeek inquiry, Keepnet Labs confirmed that the database only contained publicly available data that can also be accessed through various online services.
The company also said that the data was “collected and correlated” for its customers only, to inform them if their accounts were part of previous breaches, and that customers can perform only searches related to their domains.
“No confidential customer data has been breached,” the company underlined.
The unprotected Elasticsearch cluster was identified by Diachenko on March 16, after being indexed by the BinaryEdge search engine on March 15. However, it’s not clear for how long the database stayed exposed to the Internet and whether third-parties accessed it during that time.
According to Keepnet Labs, the database became exposed while its supplier was moving the index to a different Elasticsearch server. During the operation, the company says, the firewall was disabled for roughly 10 minutes, enough for an online service to index the database.
“There is a certain irony is an exposed database of previously compromised data. The fact that this data was previously compromised doesn’t mean this incident is meaningless. The sheer volume of this collections makes it a valuable target for criminals. Sometimes the data itself is made more valuable by the ease of access or aggregation. It would be important to know for how long this data has been exposed, and of course, whether anyone has actually accessed it,” Tim Erlin, VP of product management and strategy at Tripwire, told SecurityWeek in an emailed comment.
“While the data exposed in this breach appears to be collected from previously known sources, the fact that it was all readily available, indexed, and publicly exposed makes it a big concern. Criminals can use the data contained to formulate attacks against organisations, and in particular use the information for spear-phishing attacks,” Javvad Malik, security awareness advocate at KnowBe4, commented.