49 Million Unique Emails Exposed Due to Mishandled Credentials

[aum]

 

An Israeli marketing firm exposed 49 million unique email addresses after mishandling authentication credentials for an Elasticsearch database, that were sitting in plain text on an unprotected web server.

 

In a vaguely-worded notification this week, Straffic, a privately-held digital marketing company, informed that the incident was the result of a "security vulnerability" affecting one of its servers.

 

This is not the entire story, though, and this incident shows that huge databases are still at risk even when accessing them requires authentication.

Unexpected vulnerability

Straffic is described as "a private network for connecting elite affiliates with CPA [cost per action] & CPL [cost per lead] offers from trusted advertisers."

 

In a short message on Wednesday, the company announced that "a security vulnerability has been found on one of the servers we use to provide our services."

 

The asset was an Elasticsearch database with 140GB of contact details consisting of names, phone numbers, and postal addresses. While it was password protected, it appears that the credentials were not properly stored.

 

A security researcher using the Twitter handle 0m3n found them in plain text on the webserver. A DevOps engineer with a focus on security, 0m3n decided to check the webserver after receiving a link in a spam message.

 

0m3n told Jeremy Kirk that they discovered a configuration text file (.ENV) file that pointed to an AWS Elasticsearch instance. The domain is no longer loading[.]

 

Troy Hunt said that 70% of the emails in Straffic's database were already present on Have I Been Pwned, the data breach notification site he created. This means that many of them "didn't come from previous breaches," he says in a reply to Under the Breach on Twitter.

The ratio is pretty normal but yeah, plenty of them didn’t come from previous breaches if that’s what you mean

— Troy Hunt (@troyhunt) February 27, 2020

Straffic says that all their systems are secure at the moment and that they did not find evidence of the data being copied or misused.

 

"Although we do our very best to protect the security of our service and deeply regret such a vulnerability has been found on our service, it is impossible to create a totally immune system, and these things can occur" - Straffic

 

Indeed, security incidents can occur even when the best precautions are in effect and are more likely to happen when database credentials float on the internet, especially when they are in plain text.

 

Hunt, who is very familiar with disclosure notices, points out that Straffic's announcement lacks the basic information that should be available in such a communication. Details about the the date of the incident (or at least an estimation), what caused it, how it was addressed, and informing impacted parties are missing.

 

Source