Security

A British Security Company Leaks Five Billion Records Online (Update)

By Bill Toulas / March 20, 2020

Researcher Bob Diachenko has found yet another unprotected Elasticsearch instance online, containing a collection of reported data breaches. In total, the leaking database contained more than five billion records laid out in a well-structured form, with the cluster having two collections given the name “leaks_v1” and “leaks_v2”. So, it appears the company that managed the database had collected these records from security incidents that occurred between 2012 and 2019, then organized the data, and stored it for their own purposes. The main problem here is that the security firm leaked the data again, and these records were reintroduced online in a form that hackers would celebrate to have.

The owner of the database is a British security company dealing with threat intelligence, incident response, and phishing simulation. The database was first indexed on March 15, 2020, and Diachenko found it a day after. He alerted the company immediately, but they did not respond quickly to acknowledge the incident. Still, the database went offline within an hour following the notification, so the impact of the re-exposure was at least kept to a minimum.

The types of data that was included in each data entry were the following:

database_entries

Source: Security Discovery

The most prominent sources of leak that the researcher could confirm by analyzing the data were: Adobe, Last.fm, Twitter, LinkedIn, Tumblr, and VK. It is almost certain that there are more notable leak sources in there, but analyzing 5.5 billion records isn’t exactly a walk in the park. That is especially the case when one of the collections, “leaks_v2”, was updated in real-time, being fed with more data from leaks that occur. Possibly, the security company is monitoring dark web marketplaces and forums, grabbing dumps, and adding them to their database. Hopefully, they do it for research, reporting, and protection purposes. Allegedly, no customer data had been exposed or breached.

Although the firm maintains an active presence on social media, they have made no statements about the discovery. There’s an ample amount of irony going on here, as a security firm should know better when it comes to protecting Elasticsearch instances. Even if the exposed information isn't fresh, re-leaking it in a very usable form is a mistake that we would expect a different kind of entity to do.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: