Elasticsearch Snafu Exposes Data on 82 Million Americans

Written by

The personal information of nearly 82 million Americans was exposed online for at least two weeks thanks to another cloud misconfiguration error, although it’s not clear which company is at fault.

Researchers from security firm HackenProof discovered the publicly available Elasticsearch servers via a simple Shodan search. Elasticsearch is an open source search engine used for private networks.

At least three IPs associated with the same Elasticsearch clusters were left open for public access, exposing a whopping 73GB of personal data. Part of this related to 56,934,021 US citizens.

Exposed information included first name, last name, employer, job title, email, address, state, zip, phone number, and IP address. Another 25 million trove was a more detailed directory with a business slant, including: name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employee count, revenue numbers, NAICS codes, SIC codes, and more.

Combined, over 114m records were affected.

The data was made private on November 28, two weeks after it was first indexed by Shodan, although it’s unknown how long it was exposed for before that. It could have been obtained by hackers, or theoretically the owner of the Elasticsearch instances could have been extorted.

HackenProof also warned that in cases like this, full access could have allowed for remote code execution on the system.

“While the source of the leak was not immediately identifiable, the structure of the field “source” in data fields is similar to those used by a data management company Data & Leads Inc,” said HackenProof.

Adding to the mystery, that company’s website is now offline and the researchers have not been able to establish contact with any representatives.

Balaji Parimi, CEO of CloudKnox Security, argued firms need to proactively manage privileged accounts to reduce the risk of human error like this.

“Over-privileged identities are one of the biggest threats facing enterprises with complex, multi-cloud environments, and we will continue to see database leaks like this one until companies get better at assessing and managing unused, high-risk privileges,” he added.

“This latest data breach should serve as a wake-up call to IT security operations teams. Poorly secured, internet-facing infrastructure will be discovered and exploited. The developing threat landscape reinforces the notion that all organisations have targets firmly on their backs at all times and threat actors will continue to innovate attack methods to secure valuable data and possibly leverage that data for more nefarious purposes.” 

Cofense director of sales engineering, David Mount, argued that those affected may have been exposed to phishing campaigns.

“It’s extremely important for end-users to stay vigilant when monitoring email inboxes for any messages that may seem unexpected, strange or suspicious and report them immediately for further analysis," he added.

“Remember that mitigating risk doesn’t end with addressing the vulnerable server. As important as security software and firewalls are, technology alone is not enough to stop active phishing attacks.”

What’s hot on Infosecurity Magazine?