Security Discovery - Cyber Security News & Consulting Services

Data Breach, elasticsearch May 25, 2020

Personal Details and IDs of Millions of Indian Families Exposed As A Result of Security Incident

On May 23rd, another Elasticsearch misconfiguration incident has led to the exposure of the personal details and Aadhar number for millions of families registered under Mukhya Mantri Parivar Samridhi Yojana (MMPSY), which is one of the…

Like this story? Please share it!

Blog, Data Breach, elasticsearch May 8, 2020

PADI Certified Divers Records Exposed in a Misconfiguration Incident

On May 6th I have identified an open and unprotected Elasticsearch server that appeared to contain registration details for US-based divers certified by PADI, Professional Association of Diving Instructions. Cluster contained 2,313,197 records with the…

Like this story? Please share it!

elasticsearch April 21, 2020

Energy Company in Poland Exposed Data of its Customers

On April 16th I have discovered an unprotected and publicly indexed Elasticsearch cluster that contained 3,376,912 records with personally identifiable information (PII). Upon closer examination, database appeared to be part of a cloud environment set…

Like this story? Please share it!

Blog, Data Security Education, spammers April 14, 2020

SMS Spam Operation Rebrands, Continues to Leak Customer Information

Earlier this year, I discovered that SMS marketing firm, Rocket Text (rocket-text.com), failed to secure its Mongo database exposing just over 63 million customer emails and phone numbers. Rocket Text, formerly known as ApexSMS, first…

Like this story? Please share it!

Blog, Data Breach, elasticsearch March 19, 2020

A UK-based Security Company Seemed To Have Inadvertently Exposed Its ‘Leaks Database’ with 5B+ Records

On March 16th I have found an unprotected and thus publicly available Elasticsearch instance which appeared to be managed by a UK-based security company, according to the SSL certificate and reverse DNS records. The irony…

Like this story? Please share it!

Blog, Data Breach, database March 2, 2020

Free Wifi User Data Exposed in Multiple UK Train Stations

On February 14th I discovered a non-password protected database that contained a massive amount of records totaling 146 million. Upon further review I was able to see connections to what appeared to be free wifi…

Like this story? Please share it!

Data Breach, database February 18, 2020

FairBridge Inn & Suites Exposed Customer Booking Platform

Booking a hotel online is now so common that we consumers never give it a second thought when traveling. We enter our information, provide payment details and then cross our fingers. Unfortunately once we provide…

Like this story? Please share it!

Blog, Data Breach, database, mongodb February 13, 2020

US non-profit for international study exposes private documents of thousands of students: report

The Institute of International Education (IIE), a US nonprofit that focuses on foreign exchange study and scholarship, exposed a database on the web containing thousands of logs and links to private student documents. The database…

Like this story? Please share it!

Blog, database, Uncategorized February 11, 2020

Estee Lauder Exposed 440 Million Records Online

On January 30th I discovered a non-password protected database that contained a massive amount of records totaling 440,336,852. Upon further review I was able to see connections to New York based cosmetic company Estée Lauder. I…

Like this story? Please share it!

Blog, Data Breach, database February 4, 2020

Pabbly Email Marketing Exposes 51.2 Million Records Online

Email marketing is big business and many companies rely on emails to keep in contact with their customers or potential customers. In the modern world of over priced pay per click ads targeted email marketing…

Like this story? Please share it!

Blog, Data Breach, database January 13, 2020

Online Eyewear Websites Expose Data of 186k Customers

In October 2019 I discovered a database that contained 186,000 sales records and 40.4 million visitor IP addresses. From October 23rd, 2019 to January 13th, 2020 I sent multiple emails and left numerous voice messages….

Like this story? Please share it!

Data Breach, database, elasticsearch December 18, 2019

Honda Exposes Vehicle Owner Records on the Web

On December 11th, 2019, I have identified an open and unprotected Elasticsearch cluster with 976 millions of records which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser….

Like this story? Please share it!

Data Breach, database, elasticsearch, Uncategorized November 13, 2019

Prank Call Service PrankDial Exposed 138 Million Records Online

On October 28th I discovered a non-password protected database that contained millions of log files. Upon further research, the records all contained information that identified PrankDial.com as the owner of the data. I immediately sent…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch October 28, 2019

2.59 Million Credit Card Transactions Exposed –

Two data incidents just months apart from each other. Back in February 2019 I found a database that belonged to a Nigerian based company. The first database contained over 8 million records. The representatives replied…

Like this story? Please share it!

Blog, Data Breach, elasticsearch October 22, 2019

Religious Website and Software Provider Leaks Customer and Credit Card Data for Many Months

Religious website service Clover Sites exposed customer data for at least 6-7 months and the dataset was found twice on two separate databases. On May 22nd I discovered and reported a data exposure incident involving…

Like this story? Please share it!

Data Breach, heartbeat, IoT, mongodb October 15, 2019

Whirlpool Exposed Database with Home Appliances Scan Results

On October 1st, I have found a rather unusual web interface of Heartbeat monitoring service. The open and publicly available instance contained a graph and description which immediately got my attention: Here you can analyze…

Like this story? Please share it!

Blog, Data Breach, Data Security Education October 11, 2019

When Test Data is Not Test Data

There is a growing trend among organizations and companies to simply deny that live production data is real. As a security researcher I often hear that everyone is a small start-up and all data is…

Like this story? Please share it!

Data Breach, elasticsearch September 26, 2019

Large Italian Online Shop Exposed Customers Details

On Sept 4th I have identified an open and unprotected Elasticsearch cluster containing sensitive details of customers of Calcioshop.it, popular online shop in Italy for football accessories. Database contained 408,995 records with information about Calcioshop customer…

Like this story? Please share it!

Data Breach, mongodb September 24, 2019

Mexican Online Bookstore Exposed Data – Again

On September 9th, I have discovered three (3) open and unprotected MongoDB instances which appeared to be part of Librería Porrúa, a long-established bookseller based in Mexico. This case would have been left unnoticed if I…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch September 24, 2019

Investment Research Company Exposed Subscribers, Credit Card Data, and Evidence of Ransomware

Way back in March, 2019 Security Discovery’s Bob Diachenko discovered a non-password protected database that contained 18,000 user names, mailing addresses, hashed passwords, and credit card information such as the last 4 digits of the…

Like this story? Please share it!