57m Americans’ details leaked online by another misconfigured server

Misconfigured Elasticsearch servers are the unwelcome gift that keeps on giving. The latest breach spilled personal details on 57 million Americans, according to reports this week.

Bob Diachenko, director of cyber risk research for security firm Hacken, said that the company found an exposed Elasticsearch server on the Shodan search engine, which scans for connected devices and open servers. It found at least three IP addresses with identical Elasticsearch clusters misconfigured for public access.

These instances, which held 73GB of data, had been publicly accessible on 14 November – which is when it was indexed by Shodan. However, it is unclear how long it had been online before that point, Diachenko said. Hacken discovered the instances on 20 November and the sites disappeared a couple of days later.

The service held data on almost 57 million US citizens, containing information including first and last name, employers, job title, email, address, state, ZIP code, phone number, and IP address. Another index of the same database included over 25 million business records, which held details on companies including employee counts, revenue numbers, and carrier routes.

Hacken couldn’t immediately identify the source of the leak, but Diachenko noted that one of the fields in the database was similar to those used by a marketing data company. He couldn’t reach their executives for comment, and the company took its website offline shortly before he blogged about the incident. However, this doesn’t necessarily mean that the company was the source of the leak. What’s scary is that this volume of records could be leaked online without anyone knowing for sure who’s responsible.

Elasticsearch is a full-text search engine product released on an open-source basis. It searches a variety of document types in near-real-time thanks to its distributed search capabilities. Companies can download and use the software on their own servers or run it on cloud-based computers. However, the product ships with a default login configuration. This makes it easy for anyone to access a public-facing Elasticsearch instance unless its credentials have been changed.

The same thing recently happened to massage app Urban, which spilled the details on 309,000 customers thanks to a leaky Elasticsearch configuration this month.

This breach and the Urban event are far from the only security incidents due to misconfigured Elasticsearch instances. Hacken said earlier this month that the Federation of Industries of the State of São Paulo in Brazil made 34m personal records publicly available on an Elasticsearch database, although the organization denied the claim.

Diachenko formerly worked at Kromtech, which regularly scans Shodan looking for exposed instances of Elasticsearch, MongoDB and others. In October 2017, Kromtech found the private information of over 1,100 NFL players and their agents exposed on a misconfigured Elasticsearch server. A ransom note was left inside that database.

Back in June, another researcher found that data aggregation firm Exactis had exposed around 340 million individual records via a misconfigured Elasticsearch server, amounting to almost 2TB of data.

Publicly exposed personal records on unprotected servers are skewing data breach statistics by dramatically increasing the number of exposed records per breach. Misconfigured public-facing servers are a treasure trove for data thieves, who only need a browser to find them.