Revelations this week of separate data exposure incidents — a billion passwords displayed in plaintext as well as hundreds of thousands of US birth certificate applications — shared a common thread: unsecured cloud-based databases that left the sensitive information wide open for anyone to access online.
An epidemic in the past year or so of organizations inadvertently leaving their Amazon Web Services S3 and ElasticSearch cloud-based storage buckets exposed and without proper security has added a new dimension to data breaches. Organizations literally aren't locking down their cloud servers, researchers are finding them en masse, and it's likely cybercriminals and nation-state are as well. Misconfigured online storage has led to an increase of 50% in exposed files this year over 2018, according to data from Digital Shadows published in May.
"Cloud services are inexpensive ways to do things we've done expensively for years, so it makes sense why so many people are moving their resources to the cloud. The problem is that it's still far too easy to make mistakes that expose all your data to the Internet," says John Bambanek, vice president of security research and intelligence at ThreatStop.
Security researcher Bob Diachenko last week discovered a massive ElasticSearch database of more than 2.7 billion email addresses, 1 billion of which included passwords in plaintext. Most of the stolen email domains were from Internet providers in China, such as Tencent, Sina, Sohu, and NetEase, although there were some Yahoo, Gmail, and Russian email domains as well. The pilfered emails that came with the passwords were confirmed to be part of a previ ..
Support the originator by clicking the read the rest link below.
