"The data left unprotected was actually a database, aggregating 1.2 billion users' personal information, e.g., social media accounts, email addresses and phone numbers. The incident was relayed on the Data Viper blog.
Bloomberg quoted Troia. "There are no passwords related to this data, but having a new, fresh set of passwords isn't that exciting anymore. Having all of this social media stuff in one place is a useful weapon and investigative tool."
After all, just nabbing names, phone numbers and account URLs delivers ample information to get attackers started."
Data Viper writes:
"On October 16, 2019 Bob Diachenko and Vinny Troia discovered a wide-open Elasticsearch server containing an unprecedented 4 billion user accounts spanning more than 4 terabytes of data.
A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. The leaked data contained names, email addresses, phone numbers, LinkedIN and Facebook profile information.
What makes this data leak unique is that it contains data sets that appear to originate from 2 different data enrichment companies.
For a very low price, data enrichment companies allow you to take a single piece of information on a person (such as a name or email address), and expand (or enrich) that user profile to include hundreds of additional new data points of information. As seen with the Exactis data breach, collected information on a single person can include information such as household sizes, finances and income, political and religious preferences, and even a person’s preferred social activities.
Each time a company chooses to “enrich” a user profile, they are also agreeing to provide what they know about the person to the enriching organization (thereby increasing the validity of the organization’s future results). Despite efforts from social media organizations like Facebook, the resulting data continues to be compounded, creating a situation with no oversight that ultimately allows all of a person’s social and personal information to be easily downloaded."Wired magazine writes:
"For well over a decade, identity thieves, phishers, and other online scammers have created a black market of stolen and aggregated consumer data that they used to break into people's accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all.
While the collection is impressive for its sheer volume, the data doesn't include sensitive information like passwords, credit card numbers, or Social Security numbers."
One can only hope that other cloud servers, e.g., ones the Social Security Administration or the US military uses, aren't just left open like that for anyone to play with. Past performance has not been confidence-inspiring and it probably does predict future performance.
No comments:
Post a Comment