Blog

Blog, Data Breach, database, elasticsearch July 23, 2019

Jana Small Finance Bank Exposed Millions of Records Online

On May 26th, I discovered a non-password protected database that contained what appeared to be millions of financial transactions. Upon further research I was able to connect the data to an Indian based microfinance bank…

Like this story? Please share it!

Blog, Data Breach, Data Security Education, jenkins July 8, 2019

GE Aviation exposed internal configs via open Jenkins instance

Back in June I decided to check how many open Jenkins instances are available for search and did additional parsing of Shodan search results html pages for better understanding. Jenkins is a service instance used…

Like this story? Please share it!

Blog, Data Breach, elasticsearch June 3, 2019

The University of Chicago Medicine Exposed ‘Perspective Givers’ Database With More Than A Million of Records

Elasticsearch misconfigurations and related data incidents have became top news recently, even after Elastic introduced free security packs for all their users. Nevertheless, we at SecurityDiscovery.com, are still registering 5-10 big cases every month and…

Like this story? Please share it!

Blog, Data Breach, mongodb May 29, 2019

London-based Marketplace Accidentally Exposed Personal Details of its Customers

In another MongoDB-related misconfiguration incident, a UK-based company exposed personal and payment data of several hundreds of its customers. On May 21st, I have identified an open and unprotected MongoDB instance, with no password/login needed…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch May 28, 2019

Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online

On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and…

Like this story? Please share it!

Blog, Data Breach, elasticsearch April 29, 2019

SkyMed Medical Evacuation Membership Service Exposed Data of 137k Members

On March 27th I discovered an unsecured Elasticsearch database that contained what appeared to be members of a medical evacuation membership service. Upon further inspection of the data there were many references that the data…

Like this story? Please share it!

Blog, Data Breach, database, mongodb April 18, 2019

Iranian Ride-Hailing App Database Exposure

On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers. Information was…

Like this story? Please share it!

Blog, database, elasticsearch, spammers April 2, 2019

Massive Spam Operation Uncovered In A Database Leak

Sometimes databases are left wide open not only by legit companies, but misconfigured by malicious actors themselves. Last month I have discovered a publicly available database with almost 5GB of 11,535,164 records with compromised emails…

Like this story? Please share it!

Blog, Data Breach April 1, 2019

Large Privacy Breach In India: Millions of Pregnant Women Had Their Details Leaked

Medical data is among the most sensitive information that organizations can collect, store, or share. It is never a good idea to store medical data in plain text or leave it publicly accessible. The nightmare…

Like this story? Please share it!

Blog March 25, 2019

Auchan France Left Digital Keys Exposed

On March 21, 2019, I have discovered a publicly available service instance which appeared to contain credentials and login details to Auchan E-Commerce infrastructure. IP with Marathon and Zookeeper instances was indexed by public search…

Like this story? Please share it!

Blog, Data Breach March 20, 2019

Spanish Gym Franchise Database Exposed By Partner’s Data Breach

On March 8th, 2019, I have identified a passwordless MongoDB database that was exposing sensitive information of an estimated 6,608 VivaGym job candidates and other business related data. VivaGym is a Spanish low-cost gym franchise…

Like this story? Please share it!

Blog, Data Breach March 19, 2019

NJ Based Home Health Radiology Services Leaked Nearly 40k Case Files

On March 1st I discovered a non-password protected database that contained what appeared to be medical case files. I immediately notified the organization that we suspected was responsible based on information found inside the database….

Like this story? Please share it!

Blog, Data Breach March 7, 2019

800+ Million Emails Leaked Online by Email Verification Service

On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number…

Like this story? Please share it!

Blog, Data Breach, world February 27, 2019

Dow Jones Risk Screening Watchlist Exposed Publicly in a Major Data Breach

On Feb 22 2019, I found a copy of the Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster 4.4GB in size and available for public access to anyone who knew where to look…

Like this story? Please share it!

Blog, Data Breach February 21, 2019

Delhi Citizens Data Leak

On Feb 19, 2019, I have discovered a MongoDB that required no password. The database was located in an India region which (along with other data) also contained highly sensitive information collected on 458,388 individuals…

Like this story? Please share it!

Blog, Data Breach February 18, 2019

Human Resources and employee management provider CavinHR leaks 400,000+ files including their customer’s employee files and internal employees.

CavinHR had a data breach. Automation and technology is important to any business where time is money, but one thing to never overlook is cyber security. It is common knowledge in the business world that…

Like this story? Please share it!

Blog, Data Breach February 11, 2019

Large eAccounting Data Breach in Mexico

On January 22, 2019, we have identified a passwordless MongoDB database with almost 5 Million records labeled as CFDI (short for Comprobantes Fiscal Digital por Internet) – the electronic billing schema defined by the Mexican federal tax…

Like this story? Please share it!

Blog, Data Breach January 23, 2019

Document Management Company Left Credit Reports Online

On January 10th, I identified an unprotected Elasticsearch cluster which contained 51 GB of what appeared to be OCR (Optical character recognition) credit and mortgages reports, with total number of records in the database more…

Like this story? Please share it!

Blog January 23, 2019

Hundreds of VOIP Phone Databases Left Exposed No Password Needed and Ready to be Exploited

VOIP is Voice over Internet Protocol and just as the name suggests it allows for the delivery of voice communications and multimedia over the internet. As a security researcher I find lots of interesting things…

Like this story? Please share it!

Blog, Data Breach January 21, 2019

The World’s Largest Youth-Run Organization Had a Data Breach

On January 11th, Bob Diachenko of SecurityDiscovery.com, identified another unprotected Elasticsearch instance which contained millions of records – this time related to AIESEC, “the world’s largest youth-run organization. According to Wikipedia the AIESEC network has…

Like this story? Please share it!