Articles by Bob Diachenko

Data Breach, elasticsearch May 25, 2020

Personal Details and IDs of Millions of Indian Families Exposed As A Result of Security Incident

On May 23rd, another Elasticsearch misconfiguration incident has led to the exposure of the personal details and Aadhar number for millions of families registered under Mukhya Mantri Parivar Samridhi Yojana (MMPSY), which is one of the…

Like this story? Please share it!

Blog, Data Breach, elasticsearch May 8, 2020

PADI Certified Divers Records Exposed in a Misconfiguration Incident

On May 6th I have identified an open and unprotected Elasticsearch server that appeared to contain registration details for US-based divers certified by PADI, Professional Association of Diving Instructions. Cluster contained 2,313,197 records with the…

Like this story? Please share it!

elasticsearch April 21, 2020

Energy Company in Poland Exposed Data of its Customers

On April 16th I have discovered an unprotected and publicly indexed Elasticsearch cluster that contained 3,376,912 records with personally identifiable information (PII). Upon closer examination, database appeared to be part of a cloud environment set…

Like this story? Please share it!

Blog, Data Security Education, spammers April 14, 2020

SMS Spam Operation Rebrands, Continues to Leak Customer Information

Earlier this year, I discovered that SMS marketing firm, Rocket Text (rocket-text.com), failed to secure its Mongo database exposing just over 63 million customer emails and phone numbers. Rocket Text, formerly known as ApexSMS, first…

Like this story? Please share it!

Blog, Data Breach, elasticsearch March 19, 2020

A UK-based Security Company Seemed To Have Inadvertently Exposed Its ‘Leaks Database’ with 5B+ Records

On March 16th I have found an unprotected and thus publicly available Elasticsearch instance which appeared to be managed by a UK-based security company, according to the SSL certificate and reverse DNS records. The irony…

Like this story? Please share it!

Blog, Data Breach, database, mongodb February 13, 2020

US non-profit for international study exposes private documents of thousands of students: report

The Institute of International Education (IIE), a US nonprofit that focuses on foreign exchange study and scholarship, exposed a database on the web containing thousands of logs and links to private student documents. The database…

Like this story? Please share it!

Data Breach, database, elasticsearch December 18, 2019

Honda Exposes Vehicle Owner Records on the Web

On December 11th, 2019, I have identified an open and unprotected Elasticsearch cluster with 976 millions of records which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser….

Like this story? Please share it!

Data Breach, heartbeat, IoT, mongodb October 15, 2019

Whirlpool Exposed Database with Home Appliances Scan Results

On October 1st, I have found a rather unusual web interface of Heartbeat monitoring service. The open and publicly available instance contained a graph and description which immediately got my attention: Here you can analyze…

Like this story? Please share it!

Data Breach, elasticsearch September 26, 2019

Large Italian Online Shop Exposed Customers Details

On Sept 4th I have identified an open and unprotected Elasticsearch cluster containing sensitive details of customers of Calcioshop.it, popular online shop in Italy for football accessories. Database contained 408,995 records with information about Calcioshop customer…

Like this story? Please share it!

Data Breach, mongodb September 24, 2019

Mexican Online Bookstore Exposed Data – Again

On September 9th, I have discovered three (3) open and unprotected MongoDB instances which appeared to be part of Librería Porrúa, a long-established bookseller based in Mexico. This case would have been left unnoticed if I…

Like this story? Please share it!

database, mongodb September 17, 2019

Banking Trojan Database Exposed – Millions of Users At Risk

On July 5th I discovered two (!) open and publicly accessible MongoDB instances which appeared to be part of the GootKit network – one of the most advanced banking Trojans discovered in the wild in the…

Like this story? Please share it!

Data Breach, Data Security Education, elasticsearch September 13, 2019

Bold.com Exposed Its Internal Infrastructure

Bold.com, company behind popular solutions to help jobseekers find jobs, and help businesses find candidates – LiveCareer, Resume-Now, my Perfect Resume, Mighty Recruiter – inadvertently exposed part of its internal infrastructure used for project tracking and project…

Like this story? Please share it!

database, elasticsearch August 26, 2019

Gartner’s Legacy System Exposed Online

On August 14th I have sent a responsible disclosure notice to Gartner, the world’s leading information technology research and advisory company, alerting them on a misconfigured Elasticsearch cluster with 1TB+ of data. According to Shodan and…

Like this story? Please share it!

Blog, Data Breach, ipv6, mongodb August 14, 2019

Home and Family Job Search Engine Exposed Its Database

FamilaFacil, a Madrid-based home and family job search platform, has exposed its MongoDB database with details on their users and candidates. This was the first time I discovered an unprotected instance sitting in IPv6 environment…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch August 12, 2019

Microfinance Agency Exposed Thousands of Customer Records

In another Elasticsearch misconfiguration incident Credia.ge, a Tbilisi-based (Georgia) agency, exposed personal and loan information for thousands of its customers. I have identified the publicly available Elasticsearch cluster on August 3rd, however, according to Shodan…

Like this story? Please share it!

Blog, Data Breach, Data Security Education, mongodb August 8, 2019

Sex Sells! Spanish Chain of “Men’s Clubs” Exposed Its Database

On August 4th I discovered an open and unprotected MongoDB database which appeared to be part of a Spanish company managing a chain of “men’s clubs” across the country. IP with the database in question…

Like this story? Please share it!

Blog, Data Security Education, mongodb, Opinion Article July 29, 2019

Even randomized dummy data should be protected

A database belonging to online voting system provider Everyone Counts has been exposed, leaving what appears to be “randomized and anonymized” data used to simulate millions of voters and election workers open to the public….

Like this story? Please share it!

Blog, Data Breach, Data Security Education, jenkins July 8, 2019

GE Aviation exposed internal configs via open Jenkins instance

Back in June I decided to check how many open Jenkins instances are available for search and did additional parsing of Shodan search results html pages for better understanding. Jenkins is a service instance used…

Like this story? Please share it!

Blog, Data Breach, elasticsearch June 3, 2019

The University of Chicago Medicine Exposed ‘Perspective Givers’ Database With More Than A Million of Records

Elasticsearch misconfigurations and related data incidents have became top news recently, even after Elastic introduced free security packs for all their users. Nevertheless, we at SecurityDiscovery.com, are still registering 5-10 big cases every month and…

Like this story? Please share it!

Blog, Data Breach, mongodb May 29, 2019

London-based Marketplace Accidentally Exposed Personal Details of its Customers

In another MongoDB-related misconfiguration incident, a UK-based company exposed personal and payment data of several hundreds of its customers. On May 21st, I have identified an open and unprotected MongoDB instance, with no password/login needed…

Like this story? Please share it!

Security Discovery

Cyber Security News & Consulting Services

Articles by Bob Diachenko

Personal Details and IDs of Millions of Indian Families Exposed As A Result of Security Incident

PADI Certified Divers Records Exposed in a Misconfiguration Incident

Energy Company in Poland Exposed Data of its Customers

SMS Spam Operation Rebrands, Continues to Leak Customer Information

A UK-based Security Company Seemed To Have Inadvertently Exposed Its ‘Leaks Database’ with 5B+ Records

US non-profit for international study exposes private documents of thousands of students: report

Honda Exposes Vehicle Owner Records on the Web

Whirlpool Exposed Database with Home Appliances Scan Results

Large Italian Online Shop Exposed Customers Details

Mexican Online Bookstore Exposed Data – Again

Banking Trojan Database Exposed – Millions of Users At Risk

Bold.com Exposed Its Internal Infrastructure

Gartner’s Legacy System Exposed Online

Home and Family Job Search Engine Exposed Its Database

Microfinance Agency Exposed Thousands of Customer Records

Sex Sells! Spanish Chain of “Men’s Clubs” Exposed Its Database

Even randomized dummy data should be protected

GE Aviation exposed internal configs via open Jenkins instance

The University of Chicago Medicine Exposed ‘Perspective Givers’ Database With More Than A Million of Records

London-based Marketplace Accidentally Exposed Personal Details of its Customers