database

Blog, Data Breach, database, elasticsearch September 24, 2019

Investment Research Company Exposed Subscribers, Credit Card Data, and Evidence of Ransomware

Way back in March, 2019 Security Discovery’s Bob Diachenko discovered a non-password protected database that contained 18,000 user names, mailing addresses, hashed passwords, and credit card information such as the last 4 digits of the…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch, Uncategorized September 19, 2019

Mattress Company Exposes 387k Customer Records Online

On September 5th I discovered a non-password protected database that contained 1 folder named “Customers”. Every file contained references to Verlo Mattress Factory and appeared to be customer data. Upon further investigation there were indications…

Like this story? Please share it!

database, mongodb September 17, 2019

Banking Trojan Database Exposed – Millions of Users At Risk

On July 5th I discovered two (!) open and publicly accessible MongoDB instances which appeared to be part of the GootKit network – one of the most advanced banking Trojans discovered in the wild in the…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch September 11, 2019

Auto Dealer Leads Network Exposed 198 Million Records Online

On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several…

Like this story? Please share it!

database, elasticsearch August 26, 2019

Gartner’s Legacy System Exposed Online

On August 14th I have sent a responsible disclosure notice to Gartner, the world’s leading information technology research and advisory company, alerting them on a misconfigured Elasticsearch cluster with 1TB+ of data. According to Shodan and…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch, Uncategorized August 23, 2019

Fundraising Platform Exposes 7.5 Million Records Online

Online fundraising is a growing industry that has raised many billions of dollars for worthy causes from around the street to around the world. The concept of small donations from many people can have a…

Like this story? Please share it!

Blog, Data Breach, database August 20, 2019

UK Property Preservation Company Has Data Exposed Online by 3rd Party

On July 30th I discovered an open database that contained 18,667 records including names, account numbers, transaction details, user credentials, and admin passwords. Upon further investigation I was able to connect the data to a…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch August 12, 2019

Microfinance Agency Exposed Thousands of Customer Records

In another Elasticsearch misconfiguration incident Credia.ge, a Tbilisi-based (Georgia) agency, exposed personal and loan information for thousands of its customers. I have identified the publicly available Elasticsearch cluster on August 3rd, however, according to Shodan…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch August 7, 2019

Leadership for Educational Equity Exposes 3.69 Million Members Online

On July 26th discovered a non password protected elastic data set that contained 5.2 million documents in total. Immediately, I knew this information should not be publicly accessible and began trying to identify the ownership….

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch July 25, 2019

Cheers – English Whiskey Club Leaked Info of 23,362 Members Online

On May 29th I discovered a database that contained what appeared to be a member list. Like most database names that do not clearly identify the ownership, this one was named Martha Johansson. I assume…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch July 23, 2019

Jana Small Finance Bank Exposed Millions of Records Online

On May 26th, I discovered a non-password protected database that contained what appeared to be millions of financial transactions. Upon further research I was able to connect the data to an Indian based microfinance bank…

Like this story? Please share it!

Blog, Data Breach, database, elasticsearch May 28, 2019

Mysterious Chinese Dating Apps Targeting US Customers Expose 42.5 Million Records Online

On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and…

Like this story? Please share it!

Data Breach, database, elasticsearch May 27, 2019

Company Offering Unique Experiences, Wine Tours, and Kids’ Parties Exposes 212,220 Records Online

On May 11th I discovered a non password protected Elastic database that contained detailed customer records and leads or potential customers. Upon further investigation of the data it appeared to belong to an Australian based…

Like this story? Please share it!

Data Breach, database, elasticsearch May 21, 2019

Golf App Exposes 218k Users’ Data Online

On April 1st Bob Diachenko discovered a non-password protected Elastic database that appeared to contain millions of records detailing golf games, courses, messages, and other player data. Upon further investigation there were many references to GAME…

Like this story? Please share it!

Data Breach, database, elasticsearch May 13, 2019

Panama Citizens Massive Data Breach

On May 10th I identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser). This database contained 3,427,396 records with detailed information on Panamanian citizens…

Like this story? Please share it!

Data Breach, database, mongodb May 8, 2019

Database With Millions of Indian Personal Records Exposed and Hijacked

On May 1st, I have discovered an unprotected and publicly indexed MongoDB database which contained 275,265,298 records with personal identifiable information (PII) on Indian citizens, including the following fields: Name Email Gender Education level and area…

Like this story? Please share it!

Data Breach, database, mongodb May 3, 2019

AMC inadvertently exposed its subscribers database for Sundance Now and Shudder services

On May 1st I have discovered an unprotected and publicly available MongoDB instance which appeared to contain data related to AMC Networks’ premium streaming offerings – Sundance NOW and Shudder. Although no sensitive information was…

Like this story? Please share it!

Blog, Data Breach, database, mongodb April 18, 2019

Iranian Ride-Hailing App Database Exposure

On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers. Information was…

Like this story? Please share it!

Blog, database, elasticsearch, spammers April 2, 2019

Massive Spam Operation Uncovered In A Database Leak

Sometimes databases are left wide open not only by legit companies, but misconfigured by malicious actors themselves. Last month I have discovered a publicly available database with almost 5GB of 11,535,164 records with compromised emails…

Like this story? Please share it!