Security firm leaves more than five billion records exposed on unsecured database

Isn’t it ironic… don’t you think?

Graham Cluley

Security firm leaves more than five billion records exposed on unsecured database

Security firm leaves more than five billion records exposed on unsecured database
A massive database, containing more than five billion records derived from past security breaches between 2012 and 2019, has been left unprotected, without any password protection on the internet.

And who left it exposed? A security firm.

Researcher Bob Diachenko says that he found the unsecured “data breach database” on a publicly-accessible Elasticsearch instance, managed by British security outfit Keepnet Labs, on March 16th.

Diachenko immediately sent Keepnet Labs an alert about the security breach, and although he never received a reply the data was taken offline within one hour.

The data that Diachenko stumbled across (and that anyone else could potentially have accessed) included:

  • hashtype (for instance, whether the password was represented as MD5 hash or plaintext
  • the year that the data leaked
  • the password (hashed, encrypted or plaintext)
  • the email address of the breached user
  • the source of the leak (for instance, Adobe, Last.fm, Twitter, LinkedIn, etc)

Exposed data

Of course this was data that had been previously exposed in past security breaches, and so it’s not as though users whose details were included in this leak were not already at some risk.

But that’s really no excuse for a security company to be so lax about its own security, and potentially compound the risks of users still further.

Presumably Keepnet Labs was storing its huge database of previously-breached records in order to conduct its own research into security incidents, or provide a service to its customers. What it has actually done, however, is put at an awful lot of people at increased risk.

Security features on Elasticsearch instances are disabled by default, making it seemingly all-too-easy for administrators to effectively ignore the essential requirement to implement a proper defense before making their systems live on the internet.

Two months ago, Microsoft admitted that it had left 250 million customer service and support records exposed on five unsecured Elasticsearch servers.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Security firm leaves more than five billion records exposed on unsecured database”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.