According to a study, less than 30% businesses do care about risks that are associated with data breaches. Such accidents may cause money losses ($3.62 million is the average total cost of a data breach), compromise customer data and damage the company’s reputation. In most cases, the main reason for unsecure databases was ignoring the value and importance of data that is used in organization’s business operations.
During 2017, KSC has discovered and secured sensitive information of more than 40 databases such as mongoDB, unprotected Amazon S3 buckets, CouchDB, unsecured rsync servers with insufficient authentication, misconfigured Elasticsearch databases, and Apache Hive databases. If we summarize all of the user accounts found by KSC, the number may appear bigger than it seems and contains 40 databases. The total number of all accounts and user profiles is more than 2 billion, it’s around 2 TB of unprotected data.
Let’s look back and remember the biggest and most significant data leaks of 2017:
[ Insecure remote synchronization protocol (rsync) / approximate cost $120 Billion* ]
Perhaps the biggest discovery ever made by KSC is an illegal database belonging to a massive spam empire. A cooperative team of investigators from the Kromtech Security Research Center, CSOOnline, and Spamhaus came together in January 2017. Someone forgot to protect a repository with a password and, as a result, one of the biggest spam empires is now falling. The database contained 1.4 billion email accounts combined with real names, user IP addresses, and often physical addresses.
How to secure Rsync >
[ MongoDB / approximate cost $4.5 Billion* ]
A recent discovery related to the Ai.Type virtual keyboard. KSC has discovered a massive amount of customer files that leaked online and became publicly available. Researchers were able to access the details of 31,293,959 users. The misconfigured MongoDB database appears to belong to Ai.Type, a Tel Aviv-based startup that designs and develops a personalized keyboard for Android and iOS devices.
[ Amazon S3 bucket ]
On September 20th, Kromtech Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services). DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data.
How to protect Amazon S3 Bucket >
[ CouchDB, MongoDB approximate cost $3 billion* ]
Voter Databases. If there is one thing that the 2016 US election has taught us, it is that the entire electoral process needs to become more uniform and secure. There have been several high profile leaks of voter data during 2017. One of the misconfigured databases that contained info for 593,328 US citizens (Alaska voters) was exposed to the public Internet due to misconfiguration of CouchDB instance. Another voter database contained voter information of the entire state of California with 19,264,123 records, all open for public access.
[ Amazon S3 bucket, 600GB of sensitive files ]
One of the top companies that provides cloud-based unified communications has just leaked more than 600GB of sensitive files online. The Kromtech Security Center has discovered not just one but two cloud-based file repositories (AWS S3 buckets with public access) that appear to be connected to the global communication software and service provider BroadSoft, Inc. Their partners are some of the biggest names in the communication business, telecom, media, and beyond, including Time Warner Cable, AT&T, Sprint, Vodafone among many other well known companies.
How to protect Amazon S3 Bucket >
[ MongoDB, approximate cost $46 Billion* ]
Another big discovery was made in May 2017. Someone put together a giant database containing more than 560 million emails and passwords, which were collected from various sources. That kind of stuff had been floating around the web for a couple of years until recently, when it has started appearing as “combo lists”. The database is 75+ GB in size and contains data in a readable JSON format that includes at least 10 previously leaked data sets from LinkedIn, Dropbox, Lastfm, MySpace, Adobe, Neopets, RiverCityMedia, 000webhost, Tumblr, Badoo, Lifeboat, etc.
With all of the recent controversy in the NFL over the National Anthem protests, it appears that things may have just gotten a little worse for professional football. On September 26, researchers from KSC identified a publicly accessible database that contained private information of NFL players and their agents, 1,133 in total.
*The per-record pricing is based on Ponemon Research sponsored by IBM Security
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: email@example.com