According to Shodan historial data, Elasticsearch in question was indexed (hence publicly available, no password/authorization) for several months in 2018:
80/tcp Elastic (5.3.2) (2018-12-04)
80/tcp Elastic (5.3.2) (2018-11-29)
80/tcp Elastic (5.3.2) (2018-04-11)
According to their site, “ViewLift is a full-service digital content distribution platform empowering media companies, sports leagues and teams, education providers and others to monetize their content through native branded apps on major OTT devices including web, mobile, TV- connected devices, Smart TVs, and gaming consoles.
“ViewLift clients include NBCU; TEGNA; Monumental Sports Network; The Great Courses; Lax Sports Network; Major League Lacrosse; Arena Football League; the five owned-and-operated channels of SnagFilms; and others.
Exposed Elasticsearch cluster contained more than 5 Million records with users registration data. List of clients included:
- The Blaze
- Arena Football
- Lax Sports Network
- Pet Collective and others.
In most records, users registration data was limited to country, email, name, links to social media hosted avatars and IPs from which users were registering.
Company did not respond to numerous responsible disclosures emails sent back in December last year, but after a couple of weeks since initial discovery database has been taken offline and no longer available.