A cybersecurity researcher has discovered an unsecured Elasticsearch database containing millions of login credentials.
This was reported by Wired. Jeremiah Fowler stumbled upon the system on May 6. According to Fowler, it is usually possible to identify the administrator based on the contents of such a database, but this was not possible in this case. He suspects that cybercriminals created the database to store data obtained through malware.
The database contained 184 million records and took up 47 gigabytes of storage space. It consisted of login credentials for millions of user accounts.
When analyzing a sample of 10,000 records, Fowler found, among other things, the data of more than 850 Google and Facebook users and hundreds of accounts from Roblox, Discord, Microsoft, Netflix, and PayPal. There were also usernames and passwords from numerous other popular services.
The same sample contained 220 email addresses ending in .gov, originating from government agencies in at least 29 countries, including the US, the UK, and Australia.
Open-source search engine
The database ran on Elasticsearch, a popular open-source search engine based on Apache Lucene known for its scalability. Although Elasticsearch does not offer traditional database features, one of them is ACID support, a technique that prevents data loss in the event of system failures. It can serve as a storage medium for searchable data. However, security options are available to prevent the data from being publicly accessible.
Fowler explained to Macworld that he uses various methods to detect vulnerable databases, including the use of search engines for IoT. These services map internet-connected devices and collect technical data such as IP addresses.
It is unclear where the data in the Elasticsearch database came from. Still, Fowler discovered it was running on servers belonging to the British hosting company World Host Group. After his report, the company took the database offline.
According to Wired, the database was running on an unmanaged server, entirely owned by the customer. The CEO of World Host Group, Seb de Lemos, stated that it appears that a malicious user logged in and uploaded illegal content. The server has since been taken offline and the legal team is investigating what information may be useful to the authorities.
Tip: Europe launches its own security database following CVE uncertainty