Data Records of 1.2 billion users found openly without password protection or authentication on elasticsearch server.
Bob Diachenko and Vinny Troia discovered an elasticsearch server containing 4 billion user accounts spanning more than four terabytes of data, on October 16, 2019.
“This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers and associated account URLs. That’s a lot of information in one place to get you started.” Troia said.
The exposed records
The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information.
Based on the analysis of the origin of data was from two data enrichment companies, People Data Labs (PDL) and OxyData.io (OXY). Either of the companies denied that the server did not belong to them.
“The owner of this server likely used one of our enrichment products, along with a number of other data-enrichment or licensing services,” says Sean Thorne, co-founder of People Data Labs. “Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility. We perform free security audits, consultations, and workshops with the majority of our customers.”
“While the part of the database Vinny found presumably might be acquired from us or one of our customers, it has definitely not been leaked from our database,” Martynus Simanauskas, OxyData director of business to business sales said.
The IP address for the server simply traced to Google cloud services, so there is no idea who collected the data. Trio noted that there is no way to find if the data have been downloaded or found by anyone before him.
Security researcher Data Viper exposed that the information was available at HTTP://18.104.22.168:9200 to anyone without passwords.
People Data Labs (PDL)
According to their website, the PDL application can be used to search;
- Over 1.5 billion unique people including close to 260 million in the U.S.
- Over 1 billion personal email addresses. Work email for 70%+decision makers in the US, UK and Canada.
- Over 420 million LinkedIn urls
- Over 1 billion Facebook URLs and ids
- 400 million + phone numbers. 200 million + US based valid cell phone numbers.
OxyData is another data enrichment company claiming to have,
- 4TB of data
- 380 million people profiles
- 14 million company profiles
- Across 195 countries
- Employees in 80 industries
- 2.5K web technologies
A similar case of data exposure was discovered on August 19, where around 198 million personal records of car buyers were exposed online.
You may be interested in reading: Click2Mail Suffers Data Breach