An unprotected Elasticsearch database exposed personal details of 57 million U.S. citizens for almost two weeks. Bob Diachenko, Director of Cyber Risk Research at Hacken, discovered that the unsecured server was left visible online without a password exposing customers’ personal data.
ElasticSearch, an enterprise search engine, provides technology solutions for powering search functions.
“An open ElasticSearch instance exposed personal info of 56,934,021 US citizens, with information such as first name, last name, employers, job title, email, address, state, zip, phone number, and IP address,” Diachenko stated in a blog post.
The researcher also stated he found another index of the same database that contained 25 million additional data records holding sensitive information, including names, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, and SIC codes.
The database was not password protected and could be accessed by anyone with an Internet connection. The issue was spotted during a security audit of publicly available servers with the Shodan search engine, according to the researcher.
“As of today, the database is no longer exposed to the public, however, it is unknown for how long it has been online before Shodan crawlers indexed it on November 14th and who else might have accessed the data,” Diachenko added.
The researcher specified the source of the leak was not identifiable and he’s not able to get in touch with ElasticSearch representatives.
While speaking about the disclosure, Bob said, “Our goal is to help protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide on ethical vulnerability disclosure policy (VDP).”
A couple of weeks back, Diachenko had unearthed another unprotected server hosted by MongoDB that exposed hundreds of thousands of American Express (Amex) India customers’ personal data. Most of the exposed data were encrypted but included 2,332,115 records with customers’ names, addresses, Aadhar numbers, PAN card numbers, and phone numbers hosted on the domain americanexpressindia.co.in.