Unsecured databases are potential cyberthreats for organizations. Perpetrators often look for unprotected/misconfigured servers to infiltrate and compromise sensitive corporate data. A recent security research by Comparitech, led by cybersecurity researcher Bob Diachenko, revealed that cybercriminals attacked an unsecured ElasticSearch database that affected over 5 billion records.
According to the report, the exposed database belongs to cybersecurity analytics firm Cognyte, which was exposed online without password protection, allowing open access to strangers. The exposed database was stored by Cognyte, a cybersecurity analytics firm that stores data as part of its cyber intelligence service, which is then used to alert customers about third-party data breaches. “If a client’s contact information appeared in the database, for example, they could receive an alert notifying them that one of their accounts had been compromised. Or if they use a password that has previously been breached, they could get a notification to change it,” Cognyte said.
The leaky database is now secured after Bob Diachenko reported the issue to Cognyte.
“Cognyte was able to rapidly respond to and block a potential exposure. We appreciate such a responsible and constructive approach, which helps to raise awareness and induces companies and organizations to implement security safeguards and better protect their data,” Cognyte said.
The Data Breach Timeline
While it is unknown whether any attackers misused the leaked data, the researchers stated that the database was exposed online for at least four days:
- May 28, 2021: The database was indexed by search engines.
- May 29, 2021: Diachenko discovered the leaky database and immediately notified Cognyte.
- June 2, 2021: Cognyte secured the database.
What data was exposed?
The database held over 5,085,132,102 records that contained information including, name, email address, password, and data source. “Not all of the data breaches from which the data was sourced included passwords, however, we could not determine an exact percentage of records that contained a password. We do not know if any other third parties were accessing the data when it was exposed, nor do we know for how long it was exposed before being indexed by search engines. Our honeypot experiments show that attackers can find and access exposed data in a matter of hours,” Cognyte added.
Security Risks from Data Leaks
Cybercriminals often exploit the personal information obtained from data breaches to steal identities and misuse it to launch credential stuffing attacks, phishing, and other fraudulent scams. Several threat actor groups often get hold of such leaked data and threaten companies to expose it online or demand ransom.
Every minute is an opportunity for threat actors if they find an unsecured server left online. Attackers can find and access exposed data in a matter of seconds or hours. Another security experiment by Comparitech discovered that cybercriminals attacked a model of an unsecured database 18 times in a single day. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. It found 175 attacks in just eight hours after the server was deployed, and the number of attacks in one day totaled 22.
Talking about the incident to CISO MAG, Diachenko said, “It is not the first time I encounter this type of exposure. The amount and sensitive nature of previously leaked data is tremendous, so should be the efforts of any organization in possession of this data to keep it as secured as possible and prevent it from “re-leaking”. In my opinion such incidents are no less dangerous as the original data breaches collected in such troves.”
