Data Leak Week: Billions of Sensitive Files Exposed Online
Earlier this week, separate data exposure incidents left a total of 2.7 billion email addresses, 1 billion passwords, and nearly 800,000 applications for copies of birth certificates were found on unsecured cloud buckets by security researcher Bob Diachenko. Organizations continue to fail to lock down their cloud servers, and researchers keep discovering sensitive information in unsecured cloud buckets as a result. This means it is relatively easy for cybercriminals and nation-state threat actors to retrieve this sensitive data as well. Research from Digital Shadows shows that misconfigured online storage has led to a 50% increase in exposed files this year.
Diachenko uncovered a massive ElasticSearch database containing sensitive information such as email domains and passwords, most of which were leaked from internet providers based in China such as Tencent, Sina, NetEase, and Sohu, however, the database contained Yahoo, Gmail, and Russian email domains as well. The emails that came with passwords were later confirmed to be a part of a massive data breach that occurred in 2017 when a vendor on the Dark Web had them up for sale. Diachenko reported the searchable database, which did not require password protection, to the US-based colocation service which subsequently took the server down on December 9. However, the database was “wide open” for at least a week. Diachenko stated that it is unlikely that many of the victims are aware of the breach.