Today it was revealed that a huge database containing over 114 million records of US citizens and companies has been sitting online unprotected, exposing private data. The database was discovered by HackenProof, a penetration testing company based in Estonia. They found the data sitting in the Shodan search engine in two Elasticsearch indices. Elasticsearch is a search engine based on the Lucene library (a free and open-source information retrieval software library.)
On one search they managed to find personal information for 56,934,021 US citizens. This information included private or sensitive information like a person’s full name, job title, employer, email address, phone number, IP address, and street address and ZIP code. HackenProof released a fact sheet about the find, which stated that almost 83 million people were affected.
This exposure is particularly worrying, especially if it got into the hands of scammers. Scammers could use the information to conduct targeted spear phishing scams or cold calling individuals and building trust with the details they have.
It has not been confirmed who the owner of the data is, although it is thought that it comes from Data & Leads Inc. Data & Leads are a 10-year-old data management company based in Toronto, Canada. Data & Leads haven’t responded to questions about the incident, however, their website did go offline for a short period, and the database is no longer available.
The information was made available because of a misconfiguration in the Elasticsearch instances that allowed access without authentication. Often when an attacker stumbles across something like this, they will delete records from the database and ask for money in return for returning it. However, many people have found that if they pay the money, the records will not return since the attacker hasn’t made a copy of them.
It is not known how long the data was exposed for, and if attackers have already used it in scams against US citizens and companies.