In another Elasticsearch misconfiguration incident Credia.ge, a Tbilisi-based (Georgia) agency, exposed personal and loan information for thousands of its customers.
I have identified the publicly available Elasticsearch cluster on August 3rd, however, according to Shodan historical data, it was first indexed back in September 2018. Moreover, there was at least one more database set to public on adjacent IP.
A 2GB Elasticsearch in question already was labeled as ‘compromised‘ in Shodan search and contained 142,571 user records the following information:
Username (full name)
Full address
Birth day/month
Passport number
Loan amount (if granted)
Tax ID code
IBAN bank number
Unicard ID (if applicable)
Loan status (denied/granted)
Loan collection contained 12,416 records, with similar data – however, each line appears to be unique in that one. Application collection had 229,474 records, with additional details on loans and deny reason and deny methods.
On top of that, a Readme note was found, with ransom demand for 0.1 BTC for returning the data (which was not deleted for some reason).
I have immediately sent a responsible disclosure alert to the organization, but no response was ever received. On August 9th (almost a week after the initial discovery) database was still open, so I got in touch with Georgian CERT authority and the same day database was pulled offline.
Worth noting that in June 2019, Credia.ge company has started liquidation process.
It is unknown, whether somebody else has accessed the data while it was se ..
Support the originator by clicking the read the rest link below.
