Another silent Elasticsearch server, less than two weeks after a new data breach, researchers found 2.7 billion email addresses in an unsecured cloud bucket. 1 billion email account passwords and an app loaded with nearly 800,000 copies of birth certificates.
Over the past year, some businesses have been unwittingly exposing their Amazon web services S3 and cloud-based ElasticSearch buckets, the researchers said. They have no proper security measures and no signs of being attempted to lock them down.
Bob Diachenko, director of cyber threat intelligence at SecurityDiscovery, said last week we found a huge ElasticSearch database containing more than 2.7 billion email addresses, 10 of which were simple. Most of the stolen mail domain names come from Chinese mail providers such as Tencent, Sina, Sohu and Netease. Of course, Yahoo gmail and some Russian mail domain names have also been affected. The stolen emails and passwords were also linked to the large-scale theft in 2017, when hackers sold them directly on the dark web.
The ElasticSearch server belonged to a hosting service center in the United States, which was shut down on December 9 after Diachenko published a database storage security report. But even so, it has been open for at least a week and allows anyone to access it without a password.
In terms of numbers alone, Diachenko says this is probably the largest number of records I’ve seen (he has uncovered a number of data breaches since 2018, including a database of 275million Indian citizens).
The 2.7 billion email addresses that were compromised could not be confirmed as valid, but the source was a violation. Diachenko argues that these emails tend not to be taken seriously by businesses, but in reality email accounts are more likely to be compromised.
Because these e-mail messages are likely to be alerted if they trigger an attack, the domestic firewall blocks services that check for e-mail leaks.
It is not clear who exposed the database, possibly a hacker or a security researcher. Either way, this behavior ignores the security options that ElasticSearch originally provided, just another example of the importance of ignoring the security of protecting cloud storage.
Diachenko found a clue in his study that the database’s owners used the MD5, SHA1, and SHA256 hash of each address to manipulate stolen e-mail addresses, most likely to facilitate searching in the database.
This is much like someone who originally bought the database trying to start their search, but was misconfigured to become publicly available.
Meanwhile, researchers at Fidus Information Security, a British penetration testing firm, found nearly 800,000 copies of U.S. birth certificates in an online application in an AWS S3 bucket that belongs to a company that provides copies of birth and death certificates. Bucket is not password protected and is therefore open to anyone.
Interestingly, according to TechCrunch, researchers were unable to access the database of 94,000 death certificate copies of the application in the bucket.
TechCrunch found that the data contained in the app dates back to the end of 2017 and that the scope of the leaked data included names, dates of birth, addresses, email addresses, phone numbers and other personal data.
Andrew Mabbitt, director of Fidus, said his company found the data while working on the AWS S3 project. The bucket is configured to be open to the outside world and allow anyone with a URL to get a complete list of all files.
To date, the library remains public. After repeatedly contacting Amazon’s AWS security team, the researchers said, the latter said it had passed the report to the bucket owner and recommended that action be taken as soon as possible. However, the owner appears to have ignored the messages and has so far received no reply.
Misconfiguration and exposed data on the public Internet are sufficient to cause an attack. Hackers can engage in information fraud or identity theft by owners, and there have been many cases of targeted email phishing and blackentry accounts.
Anurag Kahol, Bitglass’s chief technology officer, recommends that companies ensure that they have a good understanding and control over customer data. Real-time access control, data-at-rest encryption, and configuration can detect any misconfigured cloud security settings.