Isn’t it ironic… don’t you think?
A massive database, containing more than five billion records derived from past security breaches between 2012 and 2019, has been left unprotected, without any password protection on the internet.
And who left it exposed? A security firm.
Researcher Bob Diachenko says that he found the unsecured “data breach database” on a publicly-accessible Elasticsearch instance, managed by British security outfit Keepnet Labs, on March 16th.
Diachenko immediately sent Keepnet Labs an alert about the security breach, and although he never received a reply the data was taken offline within one hour.
The data that Diachenko stumbled across (and that anyone else could potentially have accessed) included:
hashtype (for instance, whether the password was represented as MD5 hash or plaintext
the year that the data leaked
the password (hashed, encrypted or plaintext)
the email address of the breached user
the source of the leak (for instance, Adobe, Last.fm, Twitter, LinkedIn, etc)
Of course this was data that had been previously exposed in past security breaches, and so it’s not as though users whose details were included in this leak were not already at some risk.
But that’s really no excuse for a security company to be so lax about its own security, and potentially compound the risks of users still further.
Presumably Keepnet Labs was storing its huge database of previously-breached records in order to conduct its own research into security incidents, or provide a service to its customers. What it has ac ..
Support the originator by clicking the read the rest link below.
