Security researcher Bob Diachenko has found an unprotected and publicly available Elasticsearch database, which appears to be managed by a UK-based security company, according to the SSL certificate and reverse DNS records.
According to Diachenko, the irony of that discovery is that it was a ‘data breach database’, an enormously huge collection of previously reported (and, perhaps, non-reported) security incidents spanning 2012-2019 era. The Elasticsearch cluster in question had two collections, says Diachenko.
- leaks_v1, with 5,088,635,374 records (more than 5 Billion records)
- leaks_v2, with more than 15 million records, updating in real-time
Diachenko says the data was well structured and included:
- hashtype (the way a password was presented: MD5/hash/plaintext etc)
- leak date (year)
- password (hashed, encrypted or plaintext, depending on the leak)
- email domain
- source of the leak (Diachenko was able to confirm a few of the most prominent ones: Adobe, Last.fm, Twitter, LinkedIn, Tumblr, VK and others).
Dianchenko notes that he immediately sent a security alert to the company which seemed to be responsible for the exposure but never received a reply. But, he notes that the database was taken offline within an hour after the notification was sent.
"Even though most of the data seems to be collected from previously known sources, such large and structured collection of data would pose a clear risk to people whose data was exposed. An identity thief or phishing actor couldn’t ask for a better payload. Fraudsters might target affected people with scams and phishing campaigns, using their personal information to craft targeted messages. Phishing messages often impersonate trusted people or organizations to trick victims into giving up sensitive information or money. They often contain links to phishing websites, which mimic genuine websites. In fact, they exist only to steal information, such as passwords and payment information," adds Diachenko.