Nov 25, 2019 12:30:00

It turned out that personal information for 1.2 billion people was stored on an online server in a state where anyone can access it

by

Pixabay

On October 16, 2019, security researchers Bob Diachenko and Vinny Troia discovered an Elasticsearch server with a large amount of personal information exceeding 4TB. The server is unsecured and accessible to anyone, and the number of personal information contained in the database is reported to exceed 1.2 billion.

1.2 billion people exposed in data leak includes personal info, LinkedIN, Facebook
https://www.dataviper.io/blog/2019/pdl-data-exposure-billion-people/

Mysterious User Hoarded Records on 1.2B People Via Leaky Database | News & Opinion | PCMag.com
https://www.pcmag.com/news/372140/mysterious-user-hoarded-records-on-1-2b-people-via-leaky-dat

1.2 Billion Records Found Exposed Online in a Single Server | WIRED
https://www.wired.com/story/billion-records-exposed-online/

The database discovered by Diachenko and Troia contains 1.2 billion personal information, excluding duplicates, and they said, “The largest case in history of leaking data from a single organization. One point '. The Elasticsearch server where the database was discovered was not encrypted and was accessible from a web browser without password or authentication.

The two pointed out that the information leakage this time is a special one, 'Personal information appears to have been collected from two different data enrichment companies.' A data enrichment company is a company that expands and sells user profiles by acquiring basic information such as personal names and email addresses at a very low price and adding various data to it. .

As can be seen from

the data leakage case of Exactis , an American marketing company, the personal information possessed by a data enrichment company is not only a name and email address, but also a wide range of religions, hobbies, financial conditions, pet information, etc. The Data enrichment companies are trying to enhance their user profiles by purchasing public records on the web, social networking sites, or third-party data brokers.

by

Pixabay

After analyzing the contents of a database filled with personal information for 1.2 billion people, Diachenko and others found that it included information from two data enrichment companies, People Data Labs (PDL) and OxyData . It was. Personal information in the database included personal names, email addresses, landline phone numbers, LinkedIn and Facebook profiles, etc., but these information almost matched the data owned by the two companies. That was.

On the other hand, the two report that the server owner discovered this time was neither PDL nor OxyData. This raises the question: 'How did the server owner get the information that the two data enrichment companies have?' The two of them were PDL and OxyData customers. Pointed out the possibility. In this case, the data may not have been stolen from the two companies, but it is possible that the data has been misused.

Although data may have been stolen from PDL or OxyData without anyone's knowledge, Troia is more likely to purchase data in a legitimate way than to hack it, and the company was compromised. Insist that the possibility is not. “If this case was not a data breach due to unauthorized access, who would be responsible for the data leak?” The existence of the database has already been notified to the Federal Bureau of Investigation (FBI), and within a few hours, the server and database have been taken offline, but official comments from the FBI have not been obtained at the time of writing the article. Hmm.

by geralt