In early May, longtime data-breach hunter and security researcher Jeremiah Fowler discovered an exposed Elastic database containing 184,162,718 records across more than 47 GB of data.
Aside from individuals, the exposed data also presented potential national security risks, Fowler says.
In the 10,000 sample records there were 220 email addresses with .gov domains.
The database Fowler found, though, is “an unmanaged server” hosted on World Host Group’s infrastructure and fully controlled by a customer.
As with any exposed database, the concern is that sensitive data could be stolen and abused.
It has been challenging to completely address the long-standing privacy nightmare of data potentially being unintentionally exposed in a database that is improperly configured or otherwise unprotected. However, the risks of carelessly gathering private data in a repository that could become a single point of failure are highlighted by the recent discovery of a huge trove of 184 million records, which included login credentials for accounts linked to multiple governments as well as records from Apple, Facebook, and Google.
Longtime security researcher and data-breach hunter Jeremiah Fowler found an exposed Elastic database with over 47 GB of data and 184,162,718 records in early May. According to Fowler, he can usually infer information about the owner of an exposed database from its contents, such as company information, customer or employee data, or other hints that point to the purpose of the data collection. However, there were no hints in this database as to the data’s owner or possible collections location.
The enormous volume and diversity of the login information, which includes accounts linked to numerous digital services, suggests that the data is some kind of compilation that may have been either directly owned by attackers and taken by infostealer malware or maintained by researchers looking into a data breach or other cybercrime activity.
“I think this is among the most peculiar ones I’ve discovered in a long time,” Fowler remarks. Since this is direct access to individual accounts, the risk factor here is far greater than most of the other things I come across. The ideal working list for a cybercriminal is this one. “.”.
Every record contained a URL for every website or service, an ID tag for the type of account, usernames, and plaintext passwords. According to Fowler, the password field was named “Senha,” which is the Portuguese word for password.
More than 100 Microsoft, Netflix, and PayPal accounts were among the 10,000 records that Fowler examined, along with 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, and 209 Discord accounts. Among many others, that sample—a very small portion of the overall exposure—also contained logins from Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo. When Fowler searched the sample using keywords, 187 occurrences of the word “bank” and 57 of the word “wallet” were found. “”.
A sample of the exposed email addresses were contacted by Fowler, who did not download the data, and he received confirmation from some that the accounts were legitimate.
According to Fowler, the exposed data posed possible national security threats in addition to individual ones. There were 220 email addresses with . gov domains among the 10,000 sample records. A minimum of 29 nations were associated with these, including the US, Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the UK.
Fowler informed the hosting company World Host Group about the data exposure, even though he was unable to determine who created the database or where the login credentials originated. Although World Host Group did not reply to the researcher until after WIRED contacted it, Fowler claims that access to the database was promptly terminated.
In a statement, World Host Group CEO Seb de Lemos tells WIRED that the company runs systems for over 2 million websites. However, the database that Fowler discovered is “an unmanaged server” that is entirely under a customer’s control and housed on World Host Group’s infrastructure.
De Lemos wrote in the statement, “It looks like a fraudulent user registered and uploaded unlawful content to their server.”. Since that time, the system has been shut down. Any information we have that might be pertinent to law enforcement is being examined by our legal team. “.”.
According to De Lemos, the organization has improved its reporting system and is in communication with Fowler. Although we are unable to provide WIRED with customer-specific information, we will work closely with the relevant law enforcement agencies and, when necessary, provide them with all pertinent customer data. “”.
It is unclear if anyone other than Fowler had access to the trove while it was online, despite the fact that the database has since been secured and eventually removed completely. As with any database that is made public, there is a risk that private information will be misused or stolen. Additionally, there is a very real chance that logins will be used fraudulently, to steal more data, or even to compromise other organizations in this situation.
Although Fowler is unsure, he believes that the information was gathered by hackers using an infostealer.
“This was probably a cybercriminal,” he says. I can’t think of another way to obtain that many login credentials from so many services worldwide, so it’s the only thing that makes sense. “”.
