Security researchers discovered an open Elasticsearch server that contains unique data records of around 1.2 billion users. According to the security analysts Bob Diachenko and Vinny Troia, the server holds more than 4 terabytes of data, without password protection or authentication.
The exposed data included names, email addresses, phone numbers, LinkedIn, and Facebook profile information. It’s believed that the exposed data appear to have originated from two different data enrichment companies namely People Data Labs (PDL) and OxyData.Io (OXY).
“The data discovered on the open Elasticsearch server was almost a complete match to the data being returned by the People Data Labs API. The only difference being the data returned by the PDL also contained education histories. There was no education information in any of the data downloaded from the server. Everything else was the same, including accounts with multiple email addresses and multiple phone numbers,” the researchers said in a statement.
“Analysis of the ’Oxy‘ database revealed an almost complete scrape of LinkedIn data, including recruiter information. Upon contacting OxyData, I was also informed that the server did not belong to them. Oxy was not willing to give me access to their API to test/compare profiles, but they were nice enough to send me a copy of my own record for analysis. The data they sent contained mostly scraped LinkedIn profiles and appears to be a match for the data,” the statement added.
Multiple security incidents were reported on Elasticsearch servers earlier. Recently, almost everyone in Ecuador became a victim of a massive data breach that exposed the personal information of over 20 million individuals, including the country’s president and WikiLeaks founder Julian Assange, who was granted asylum by Ecuador in 2012.
Security firm vpnMentor discovered the breach on a Miami-based Elasticsearch server owned by an Ecuadorian company Novaestrat. It’s said that the exposed data appears to have come from various sources, including the Ecuadorian national bank, Ecuadorian government registries, and an automotive association called Aeade.
Also, an unprotected Elasticsearch database exposed around 198 million personal records of car buyers’ online. Jeremiah Fowler, a security researcher at Security Discovery, stated that he discovered a database, that contained 413 GB of data, that was left online without any password protection.