On May 6th I have identified an open and unprotected Elasticsearch server that appeared to contain registration details for US-based divers certified by PADI, Professional Association of Diving Instructions.
Cluster contained 2,313,197 records with the following fields:
- full name
- phone / home phone / mobile phone
- mailing address
According to Shodan search engine, IP in question and Elasticsearch port (9200) was first indexed on April 23, 2020 – long enough for anybody with malicious intents to find and grab the data.
Upon verification of several records I have immediately sent a responsible disclosure alert to PADI and also reached out to their official Twitter account. As of May 8th, server was pulled offline, although no further response or clarification received.
As I have previously reported, danger of having exposed (i.e. no password/authentication) Elasticsearch instances or similar instances is huge. As an example, after we deployed ES honeypot on 14 Apr and got 24 attacks in less than 3 days. 20 of those were attempts to list clusters and download files. More than 50% of all indexable Elasticsearch clusters are now destroyed by malicious injections, such as Nightlionsecurity worm.
Dangers of exposed data
Even though this data did not contain payment or sensitive information, such structured and targeted collection of data would pose a clear risk to people whose data was exposed. An identity thief or phishing actor couldn’t ask for a better payload.
Fraudsters might target affected people with scams and phishing campaigns, using their personal information to craft targeted messages
Phishing messages often impersonate trusted people or organizations to trick victims into giving up sensitive information or money. They often contain links to phishing websites, which mimic genuine websites. In fact, they exist only to steal information, such as passwords and payment information.
How and why we discovered this exposure
Our goal is to help to protect data on the Internet by identifying data leaks and following responsible disclosure policies. Our mission is to make the cyber world safer by educating businesses and communities worldwide.
Our extensive cybersecurity knowledge lends itself well to searching for and analyzing data leaks. Our due diligence demands that we make every attempt to identify who is responsible and notify them as quickly as possible.
Our hope is to minimize harm to end users whose data was exposed. We take steps to find out what each database contained, for how long it was exposed, and what threats to end users might arise as a result. Our findings are compiled into reports like this one to raise awareness and curb misuse of personal data by malicious parties.