An unprotected Elasticsearch server indexed by the Shodan IoT search engine on November 14 exposed a 73 GB database of 57 million US citizens' records.
The publicly accessible server discovered by security researcher Bob Diachenko contained an Elasticsearch instance with a database of "first name, last name, employers, job title, email, address, state, zip, phone number, and IP address" personal info.
Furthermore, on the whole, Diachenko found three IP addresses which provided public access to the unprotected database of 56,934,021 million records.
The open access database also came with an extra index of 25 million records which provided some extra information such as "carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes."
Although there was not conclusive information at first regarding the entity behind the exposed personal information database, the researcher concluded that the data field 'source' was very similar to the one used by data management company Data & Leads Inc.
The company behind the leaked database did not respond to any inquiries
However, the company did not respond to any contact attempts from Diachenko and eventually took down their entire website together with the unprotected databases.
"As of today, the database is no longer exposed to the public, however, it is unknown for how long it has been online before Shodan crawlers indexed it on November 14th and who else might have accessed the data," said Diachenko.
The leaked database has already been sent to Troy Hunt's Have I Been Pwned data breach indexing service which will soon send data breach alerts to its users according to a tweet by Diachenko.
"We have previously reported that the lack of authentication allowed the installation of malware or ransomware on the Elasticsearch servers, Diachenko also stated. "The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. "
The researcher found another 200 GB-sized public customer record database at the start of September, owned by the Veeam backup and data recovery company who forgot to secure its data and inadvertently exposed 445 million records.
[NEW REPORT] Please don't be surprised when you receive another data breach alert from @haveibeenpwned and @troyhunt and we tell you why here: http://t.co/QX1VdiBITQ
— Bob Diachenko (@MayhemDayOne) November 28, 2018