Data Breach

Blog, Data Breach, Data Security Education October 11, 2019

When Test Data is Not Test Data

There is a growing trend among organizations and companies to simply deny that live production data is real. As a security researcher I often hear that everyone is a small start-up and all data is…

Like this story? Please share it!

Data Breach, elasticsearch September 26, 2019

Large Italian Online Shop Exposed Customers Details

On Sept 4th I have identified an open and unprotected Elasticsearch cluster containing sensitive details of customers of Calcioshop.it, popular online shop in Italy for football accessories. Database contained 408,995 records with information about Calcioshop customer…

Like this story? Please share it!

Data Breach, mongodb September 24, 2019

Mexican Online Bookstore Exposed Data – Again

On September 9th, I have discovered three (3) open and unprotected MongoDB instances which appeared to be part of Librería Porrúa, a long-established bookseller based in Mexico. This case would have been left unnoticed if I…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch September 24, 2019

Investment Research Company Exposed Subscribers, Credit Card Data, and Evidence of Ransomware

Way back in March, 2019 Security Discovery’s Bob Diachenko discovered a non-password protected database that contained 18,000 user names, mailing addresses, hashed passwords, and credit card information such as the last 4 digits of the…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch, Uncategorized September 19, 2019

Mattress Company Exposes 387k Customer Records Online

On September 5th I discovered a non-password protected database that contained 1 folder named “Customers”. Every file contained references to Verlo Mattress Factory and appeared to be customer data. Upon further investigation there were indications…

Like this story? Please share it!

Data Breach, Data Security Education, elasticsearch September 13, 2019

Bold.com Exposed Its Internal Infrastructure

Bold.com, company behind popular solutions to help jobseekers find jobs, and help businesses find candidates – LiveCareer, Resume-Now, my Perfect Resume, Mighty Recruiter – inadvertently exposed part of its internal infrastructure used for project tracking and project…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch September 11, 2019

Auto Dealer Leads Network Exposed 198 Million Records Online

On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch, Uncategorized August 23, 2019

Fundraising Platform Exposes 7.5 Million Records Online

Online fundraising is a growing industry that has raised many billions of dollars for worthy causes from around the street to around the world. The concept of small donations from many people can have a…

Like this story? Please share it!

Blog, Data Breach, database August 20, 2019

UK Property Preservation Company Has Data Exposed Online by 3rd Party

On July 30th I discovered an open database that contained 18,667 records including names, account numbers, transaction details, user credentials, and admin passwords. Upon further investigation I was able to connect the data to a…

Like this story? Please share it!

Blog, Data Breach, ipv6, mongodb August 14, 2019

Home and Family Job Search Engine Exposed Its Database

FamilaFacil, a Madrid-based home and family job search platform, has exposed its MongoDB database with details on their users and candidates. This was the first time I discovered an unprotected instance sitting in IPv6 environment…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch August 12, 2019

Microfinance Agency Exposed Thousands of Customer Records

In another Elasticsearch misconfiguration incident Credia.ge, a Tbilisi-based (Georgia) agency, exposed personal and loan information for thousands of its customers. I have identified the publicly available Elasticsearch cluster on August 3rd, however, according to Shodan…

Like this story? Please share it!

Blog, Data Breach, Data Security Education, mongodb August 8, 2019

Sex Sells! Spanish Chain of “Men’s Clubs” Exposed Its Database

On August 4th I discovered an open and unprotected MongoDB database which appeared to be part of a Spanish company managing a chain of “men’s clubs” across the country. IP with the database in question…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch August 7, 2019

Leadership for Educational Equity Exposes 3.69 Million Members Online

On July 26th discovered a non password protected elastic data set that contained 5.2 million documents in total. Immediately, I knew this information should not be publicly accessible and began trying to identify the ownership….

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch July 25, 2019

Cheers – English Whiskey Club Leaked Info of 23,362 Members Online

On May 29th I discovered a database that contained what appeared to be a member list. Like most database names that do not clearly identify the ownership, this one was named Martha Johansson. I assume…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch July 23, 2019

Jana Small Finance Bank Exposed Millions of Records Online

On May 26th, I discovered a non-password protected database that contained what appeared to be millions of financial transactions. Upon further research I was able to connect the data to an Indian based microfinance bank…

Like this story? Please share it!

Blog, Data Breach, Data Security Education, jenkins July 8, 2019

GE Aviation exposed internal configs via open Jenkins instance

Back in June I decided to check how many open Jenkins instances are available for search and did additional parsing of Shodan search results html pages for better understanding. Jenkins is a service instance used…

Like this story? Please share it!

Blog, Data Breach, elasticsearch June 3, 2019

The University of Chicago Medicine Exposed ‘Perspective Givers’ Database With More Than A Million of Records

Elasticsearch misconfigurations and related data incidents have became top news recently, even after Elastic introduced free security packs for all their users. Nevertheless, we at SecurityDiscovery.com, are still registering 5-10 big cases every month and…

Like this story? Please share it!

Blog, Data Breach, mongodb May 29, 2019

London-based Marketplace Accidentally Exposed Personal Details of its Customers

In another MongoDB-related misconfiguration incident, a UK-based company exposed personal and payment data of several hundreds of its customers. On May 21st, I have identified an open and unprotected MongoDB instance, with no password/login needed…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch May 28, 2019

Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online

On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and…

Like this story? Please share it!

Data Breach, database, elasticsearch May 27, 2019

Company Offering Unique Experiences, Wine Tours, and Kids’ Parties Exposes 212,220 Records Online

On May 11th I discovered a non password protected Elastic database that contained detailed customer records and leads or potential customers. Upon further investigation of the data it appeared to belong to an Australian based…

Like this story? Please share it!