French daily newspaper Le Figaro exposed roughly 7.4 billion records containing personally identifiable information (PII) of employees, reporters, and at least 42,000 users.
The database was discovered by the Safety Detectives team of experts lead by the researcher Anurag Sen, it was over 8TB, the archive also included data of accounts registered between February and April 2020, as well as logs of accesses in the same period.
“Hosted on an Elasticsearch server owned by Poney Telecom in France, the leaking database contained over 8TB of data, totaling approximately 7.4 billion records.” reads the post published by the researchers. “The server was live at the time of our investigation, leaking Personally Identifiable Information (PII) data from people accessing private accounts on Le Figaro’s news website, and in some cases, their login credentials.”
Exposed data included full names, emails, home addresses (countries of residence, ZIP codes), passwords in plain text hashed using MD5, and IP addresses and tokens used for access to internal servers.
The database also contained technical logs that could give an attacker precious information on Le Figaro’s infrastructure.
Logs sensitive data related to the company’s data infrastructure included SQL query errors, Traffic between different servers, Communication protocols, Potential access to admin accounts
Experts believe that the leak could be connected to the AGORA system used by Le Figaro as a CRM.
The database was accidentally exposed by Le Figaro due to a misconfigured Elasticsearch server.
“Finally, and most worrisome of all, the database was completely exposed to the public – with no password required to access it,” continues the post “Anyone with the knowledge of the database’s IP address could have gained access.”
Experts pointed out that exposed data could lead to identity theft and multiple fraud scheme. Journalists are a privileged target for nation-state actors that could use exposed data to launch spear-phishing attacks.
“Hackers with access to a database like Le Figaro’s could attempt billions of password combinations per second, on various platforms simultaneously. It wouldn’t take long for them to exploit the exposed PII data to gain access to private email and cloud accounts and implement further fraud schemes accordingly.” concludes the experts.
“Hackers could also use the exposed emails and other PII data to create highly effective phishing campaigns against targets.”
Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
(SecurityAffairs – Le Figaro, hacking)