The Israeli marketing firm Straffic exposed 49 million unique email addresses due to mishandled credentials for an Elasticsearch database.
The credentials for the company archive were stored in plain text on an unprotected web server.
Straffic notified the incident to the impacted users, it added that the data leak was the result of a “security vulnerability” in one of its servers.
“Following this report, we confirmed a weakness did exist and promptly patched it, in addition to fortifying our existing security protocols. As of now, all systems are secure and we did not find evidence of any data misuse or data loss.”
The exposed Elasticsearch database contained 140GB of contact details, including names, email addresses, phone numbers, physical addresses, and genders. While it was password protected, it appears that the credentials were not properly stored.
The credentials were left in
The expert decided to investigate the company after receiving unwanted marketing SMS messages for more than two years.
The expert discovered a configuration text file (
Clearly this case appears to be the result of a misconfiguration instead of a security vulnerability.
The popular expert Troy Hunt, who runs the Have I Been Pwned data breach notification service, declared that 70% of the emails in Straffic’s database were already included in its archive.
(SecurityAffairs – Straffic, data leak)