Experts found data belonging to 82 Million US Users exposed on unprotected Elasticsearch Instances

Pierluigi Paganini December 03, 2018

Security experts at HackenProof are warning Open Elasticsearch instances expose over 82 million users in the United States.

Experts from HackenProof discovered Open Elasticsearch instances that expose over 82 million users in the United States.

Elasticsearch is a Java-based search engine based on the free and open-source information retrieval software library Lucene. It is developed in Java and is released as open source, it is used by many organizations worldwide.

Experts discovered 73 gigabytes of data during a regular security audit of publicly available servers. Using the Shodan search engine the experts discovered three IPs associated with misconfigured Elasticsearch clusters.

“A massive 73 GB data breach was discovered during a regular security audit of publicly available servers with the Shodan search engine.” reads a blog post published by HackenProof.

“Prior to this publication, there were at least 3 IPs with the identical Elasticsearch clusters misconfigured for public access.”

The first IP discovered by the experts on November 14, contained the personal information of 56,934,021 U.S. citizens (i.e. name, email, address, state, zip, phone number, IP address, and also employers and job title).

Experts discovered a second Index of the same archive that contained more than 25 million records with more detailed information (i.e. name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc).

Elasticsearch instances data leak

Overall, HackenProof says (PDF), 82,851,841 people were impacted by this data breach.

The overall number of records exposed in the unprotected Elasticsearch instances is over 114,686,118 (114,686,118), according to HackenProof 2,851,841 individuals were impacted by this data leak.

At the time it is not clear which is the ownership of the exposed Elasticsearch instances, experts speculate that Data & Leads Inc. could be the data source.

Experts attempted to notify the incident to the company, but they did not receive any reply. The company website was taken offline just after the publication of the report.

It is not possible to determine for how long data remained exposed online, the good news is that the huge trove of data is no longer available.

“While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives.” continues the blog post.

“Moreover, shortly before this publication Data & Leads website went offline and now is unavailable.”

In September, security experts from the firm Kromtech have discovered 4,000 compromised instances of open source analytics and search tool Elasticsearch that were running PoS malware.

Earlier 2017, the number of internet-accessible Elasticsearch installs was roughly 35,000.

In July, the security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server.

Unprotected Elasticsearch instances are a gift for hackers and cybercriminals, hackers can compromise them by installing a malware and gain full administrative privileges on the underlying servers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Elasticsearch installs, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


you might also like

leave a comment