Elasticsearch server 2.7 billion mailbox data leakage, 1 billion plaintext passwords, including several large Chinese factories

Time:2020-10-14

Elasticsearch server 2.7 billion mailbox data leakage, 1 billion plaintext passwords, including several large Chinese factories

Less than a month ago, security personnel Bob diachenko and Vinny Troia discovered a publicly accessible elasticsearch server that contained 1.2 billion user accounts, which was exposed on the dark web. The reason for most leaks is that elasticsearch server is not password protected.

Just after the 1.2 billion personal data leakage incident of elasticsearch server, a new round of data leakage happened again. This time, researchers found 2.7 billion e-mail addresses, 1 billion e-mail account passwords and an application containing nearly 800000 copies of birth certificate in the insecure cloud storage server.

“In terms of numbers alone, it’s probably the biggest leak I’ve ever seen,” diachenko said

Bob diachenko, a security researcher at securitydiscovery, said last week that a huge elasticsearch database containing more than 2.7 billion e-mail addresses was discovered, including 1 billion passwords in plain text. Most of the stolen email domains come from Chinese email providers, such as Tencent, Sina, Sohu and NetEase. Some Yahoo, Gmail and some Russian email domains were also affected. These stolen e-mails and passwords are also similar to those in 2017
At that time, hackers put them directly on the dark Internet for sale.

Elasticsearch server 2.7 billion mailbox data leakage, 1 billion plaintext passwords, including several large Chinese factories

The elasticsearch server belongs to a hosted service center in the United States, which was shut down on December 9 after diachenko published a database storage security report. But even so, it has been open for at least a week and allows anyone to access without a password.

The 2.7 billion e-mail addresses that have been leaked cannot be verified as valid addresses, but their sources are indeed illegal. Diachenko believes that these e-mails often don’t attract the attention of enterprises, but in fact, e-mail accounts are more likely to be attacked.

It’s not clear who made the database public, either hackers or security researchers. Either way, however, the behavior ignores the security options that elasticsearch originally provides, which is just another example in many cases of ignoring the importance of protecting cloud storage security.

Diachenko found a clue in his research that the owner of the database manipulated the stolen e-mail address with MD5, SHA1 and Sha 256 hashes for each address, which is likely to facilitate searching in the database. It’s much like someone who bought the database tried to start its search function, but was wrongly configured to be publicly available.

Configuration errors and exposed data on the public Internet are sufficient to cause attacks. Hackers can cheat owners or steal identity information. There are many cases of targeted e-mail phishing and hacking into accounts.

Elasticsearch open source version does not have any data protection function, only basic attack protection, such as firewall. Anurag kahol, bitglass’s chief technology officer, recommends that businesses make sure they have a good understanding and control of customer data. Use real-time access control, static data encryption, and configure cloud security settings that can detect any configuration errors.