Records of Nearly 57 Million US Citizens Exposed by ElasticSearch

AlphaAtlas

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
An ElasticSearch server has reportedly leaked records of 56,934,021 U.S. citizens. The names, employers, job titles, email addresses, home addresses, IP addresses and phone numbers of these Americans were said to have been exposed exposed, and security expert Bob Diachenko claims that an additional business database with over 25 million records contained zip codes, carrier routes, coordinates, census tracts, web addresses, revenue numbers, and more. Hackenproof previously warned that the lack of authentication on Elasticsearch servers was dangerous, and this leak seemingly proves their fears. Thanks to Schtask for the tip.

While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives. Moreover, shortly before this publication Data & Leads website went offline and now is unavailable. As of today, the database is no longer exposed to the public, however, it is unknown for how long it has been online before Shodan crawlers indexed it on November 14th and who else might have accessed the data.
 
Ok, so I have never heard of Elasticsearch before.

Is this one of those, if you haven't used it directly you are in the clear, or is this one of those behind the scenes companies that has data on everyone and we are all fucked either way?
 
This is like any other piece of software -- they downloaded and were using elasticsearch, but did not enable security on the product and left it wide open on the default port accessible via the internet. Elasticsearch isn't the issue, it is the developer/company. Elasticsearch provides security and as you can see from their list of users it is used by a lot of companies.

https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html

This isn't the first time a company left Elasticsearch wide open. However this is no different than leaving any other system wide open.

https://www.bleepingcomputer.com/ne...rch-server-exposed-data-on-1-133-nfl-players/
 
Krazy925 said:
eBay and Ticketmaster? Yeah that’s not good.

Also SAP.
Click to expand...

Expand the list.. basically if you do business anywhere you are screwed.

Verizon
GitHub
IBM
Activision
Blizzard
Adobe
Home Depot
Microsoft
Mozilla
Cisco
Cigna
Kroger
Walgreens
Uber
Fandango
nVidia
Walmart
Facebook
Netflix
USAA
Symantec
Sprint
T-Mobile
Netapp
grubhub
godaddy
fitbit
Cox
Lyft
Citibank

And those are just the ones that stuck out for me.
 
Krazy925 said:
eBay and Ticketmaster? Yeah that’s not good.

Also SAP.
Click to expand...

Citibank (a lot of people have their credit cards) , Vimeo, Cox (a lot of people use them as an ISP), Lyft, Blizzard, Fitbit, Godaddy, Grubhub, Workday (my previous employer used them for tons of HR stuff), Microsoft Azure, VW, Deutche Telekom / T-Mobile, Sprint, Dell, Verizon, Symantec, USAA, Facebook, Netflix, Walmart, BBC, Cisco, Nvidia, General Mills, Fandango, Merck, Uber, Tinder, Kroger, The US Census Bureau, Cigna Health insurance, Goldman Sachs, Fico credit bureau, Mozilla, The Guardian, The New York Times, Salesforce, Adobe, Home Depot, Activision, IBM, Docker, Zendesk, Mayo Clinic, Github, Concur, Groupon, .... These are just the ones I recognized and thought were notable enough to mention.


So, Financial companies, Health Insurers, Universities, IT Tools, Gamer Software/Hardware, Business tools. You name it.

Hopefully not everything was hit, cause that's a lot of shit.

I find it very disconcerting that all these companies share our data with their third parties for business purposes such that we don't evne know who has our data anymore, and a hack of a company no one has ever heard of can result in us being compromised.

Something really has to change.
 
scojer said:
Here's a list of companies that use them: https://www.elastic.co/use-cases
Holy crap there is a lot.
Click to expand...

at first i was like.. ok.. thats not good. then i hit the more stories link at the bottom of the initial page

HAHAHAHAHAHAHAHAHAHAHA


and the best part.. is a database about us.. that we have absolutely NO control over, even though the data is ALL about us.

(y)(y)(y)
 
Guys, you're misunderstanding what this software does. It goes in front of databases and makes interacting with the data very rapid, so things like websites can react quickly to extremely large volumes of data. For example, being able to change your Battle.net password in a timely fashion.
 
BloodyIron said:
That's because it's actually a very good bit of tech. In the instance of OP, it was just shittilly implemented, which can happen to _any_ tech.
Click to expand...

True, but this can be limited by making the default settings hardened, and putting warnings in place whenever they are changed. People will still do stupid things, but at least this way it can be minimized.
 
Zarathustra[H] said:
Citibank (a lot of people have their credit cards) , Vimeo, Cox (a lot of people use them as an ISP), Lyft, Blizzard, Fitbit, Godaddy, Grubhub, Workday (my previous employer used them for tons of HR stuff), Microsoft Azure, VW, Deutche Telekom / T-Mobile, Sprint, Dell, Verizon, Symantec, USAA, Facebook, Netflix, Walmart, BBC, Cisco, Nvidia, General Mills, Fandango, Merck, Uber, Tinder, Kroger, The US Census Bureau, Cigna Health insurance, Goldman Sachs, Fico credit bureau, Mozilla, The Guardian, The New York Times, Salesforce, Adobe, Home Depot, Activision, IBM, Docker, Zendesk, Mayo Clinic, Github, Concur, Groupon, .... These are just the ones I recognized and thought were notable enough to mention.


So, Financial companies, Health Insurers, Universities, IT Tools, Gamer Software/Hardware, Business tools. You name it.

Hopefully not everything was hit, cause that's a lot of shit.

I find it very disconcerting that all these companies share our data with their third parties for business purposes such that we don't evne know who has our data anymore, and a hack of a company no one has ever heard of can result in us being compromised.

Something really has to change.
Click to expand...

The solutions are already there. Opt out and cash. Facebook? Just don't use it. If businesses whine cash is too expensive, well, maybe they should secure their $&!@.
 
ok so who do get to sue for this? the name of the company I literally never heard of until today, or the site that uses said company? Haha jokes on me there are laws that hold these companies effectively harmless to litigation for losing your data!
 
TordanGow said:
The solutions are already there. Opt out and cash. Facebook? Just don't use it. If businesses whine cash is too expensive, well, maybe they should secure their $&!@.
Click to expand...

Going back to the 19th century is not the solution.

Regulating what data can be kept on users, and requiring positive security validations is.

We need a new government agency that is as hardass as the FDA that requires positive validated security protocols, that only the minimal amount of needed data is collected, etc. etc. BEFORE a system goes live, and has the legal power to walk executives of companies that are not compliant out in cuffs.

PROVE to me that you have all the industry standard best practices for security in place before you are allowed to go live, and then follow up with periodic audits to make sure they are still compliant, and if they are not, slam 'em, with everything you've got.

Sure it might take a few years to get approval to launch a new service that uses data, but I have no sympathy. This needs to be fixed.
 
A lot of you guys are really missing the point. This is not a BUG or FLAW in elasticsearch.

This is a flaw in how the company decided to use Elasticsearch which as mentioned by others can happen to any software.
 
So is this just those that work for these said companies or also customers?

Nevermind. I see the data content:

PIC2-4.jpg
 
BloodyIron said:
That's because it's actually a very good bit of tech. In the instance of OP, it was just shittilly implemented, which can happen to _any_ tech.
Click to expand...

The problem is that you don't know which companies are properly securing their infrastructure/data and which ones aren't.

Go ahead, head on over to your local Walmart (one of the companies that uses elastic search) and ask the cashier about the security protocols used to safeguard your data, is it stored encrypted, what algorithms are used, is it transferred encrypted over the network connections, what password security protocols do they use, do they use 2FA? etc... Good luck with that one. I bet there wouldn't be a single person in the store from the top of management down that could provide an answer.

In my view the only reasonable approach is to do everything in my power to limit their data collection. They can't lose what they don't have.
 
I am working on an ELK stack as I read this. The headline is very misleading. The company "Elasticsearch" had NOTHING to do with this leak. It was another company where some idiot left the doors wide open to the data. It is like like blaming Microsoft for a company using their SQL database and leaving access wide open. Again Elasticsearch has an amazing product for aggregating data, but if you are not professional enough to be PCI compliant when using this type of data you should be fired and probably never work with this sort of data again.
 
ElasticSearch isn't the problem........


ElasticSearch doesn't host your data. The company using ElasticSearch as a data gathering and tracking tool is the problem, blame the company. ElasticSearch as a product does not host all those companies data on their servers. Each one of those companies in that list has their own ElasticSearch environment in their own network/cloud.

The company I work for uses this software. It's not what you think. Our data is not compromised. Unless you somehow ended up in Data & Leads database, you're fine.
 
Zarathustra[H] said:
Never mind, question answered...
Click to expand...

Not it has not been answered. Elasticsearch is a product, and listing the companies that use the product is not relevant. This product does nothing but aggregate and index data so you can preform meaningful queries against it. I use it to aggregate our large collection of system logs to monitor access and utilization across systems. My data has nothing to do with any employee data. Just because a company uses ES software, does not mean they are using it with customer data. There is one company at fault here, the one that exposed the data they happen to use in Elasticsearch. It could have been any piece of software where data is maintained, but it is certainly not Elasticsearch so the phrasing of this article really needs to be edited.
 
Zarathustra[H] said:
Going back to the 19th century is not the solution.

Regulating what data can be kept on users, and requiring positive security validations is.
Click to expand...

Companies consistently break the law and when they do they don't really get punished. Hell, HSBC was pretty much knowingly laundering money for Mexican drug cartels. https://www.rollingstone.com/politics/politics-news/outrageous-hsbc-settlement-proves-the-drug-war-is-a-joke-230696/

If they're willing to launder drug money and violate the Bank Secrecy Act and the Trading With the Enemy Act, what makes you think they're shaking in their boots about keeping a list of your phone numbers and SSNs, etc.

Zarathustra[H] said:
We need a new government agency that is as hardass as the FDA that requires positive validated security protocols, that only the minimal amount of needed data is collected, etc. etc. BEFORE a system goes live, and has the legal power to walk executives of companies that are not compliant out in cuffs.

PROVE to me that you have all the industry standard best practices for security in place before you are allowed to go live, and then follow up with periodic audits to make sure they are still compliant, and if they are not, slam 'em, with everything you've got.
.
Click to expand...

If you think "strong regulation" will stop anything... HAHAHAHAHAHAHAHA

Hell, If you think "strong regulation" will event get passed/legislated then double HAHAHAHAHAHAHAHA. The law makers are pretty much ALL wholly owned servants of the corporations. Good luck with that one. They're pretty much all corrupt. Something like 84% of all Americans, and both large majorities of Democrats and Republicans agree special interests shouldn't be able to make political donations. It's about the only thing the voters agree on across the political spectrum - that corruption is bad. Have any laws been passed to change it? Of course not, the ones benefiting from it are the ones that would have to change it.


Zarathustra[H] said:
Sure it might take a few years to get approval to launch a new service that uses data, but I have no sympathy. This needs to be fixed.
Click to expand...

See above, it won't happen.
 
TordanGow said:
The problem is that you don't know which companies are properly securing their infrastructure/data and which ones aren't.

Go ahead, head on over to your local Walmart (one of the companies that uses elastic search) and ask the cashier about the security protocols used to safeguard your data, is it stored encrypted, what algorithms are used, is it transferred encrypted over the network connections, what password security protocols do they use, do they use 2FA? etc... Good luck with that one. I bet there wouldn't be a single person in the store from the top of management down that could provide an answer.

In my view the only reasonable approach is to do everything in my power to limit their data collection. They can't lose what they don't have.
Click to expand...

Nor should they be able to. That'd be the equivalent of asking a car salesman about the processes used to assemble the car at the plant. Do you have the same level of suspicion about the vehicle you drive? Did you ask the lot custodian where the parts for your media console in your car were sourced?
 
TordanGow said:
The problem is that you don't know which companies are properly securing their infrastructure/data and which ones aren't.

Go ahead, head on over to your local Walmart (one of the companies that uses elastic search) and ask the cashier about the security protocols used to safeguard your data, is it stored encrypted, what algorithms are used, is it transferred encrypted over the network connections, what password security protocols do they use, do they use 2FA? etc... Good luck with that one. I bet there wouldn't be a single person in the store from the top of management down that could provide an answer.

In my view the only reasonable approach is to do everything in my power to limit their data collection. They can't lose what they don't have.
Click to expand...

I understand your concern, but there is actually a standard for PCI compliance with requires constant auditing. It is silly to think a cashier would know this information. That is like expecting the cashier to know the viscosity of the hydraulic fluid used the in the forklifts in the warehouse. They pay a security team to handle that information, and I know for a fact there is an IT related security person at each Wal-Mart who could answer your question but would not.

That being said, I agree that limiting information out there is ideal, but welcome to the brave new world the internet promised us.
 
Until our Government starts punishing companies like Anthem, EquiFax, and etc. more harshly this will continue to happen... Nowadays we have to have extra insurance out on our identities that costs us more money we previously didn't have to do and what I think our Government should be providing anyways.
 
TordanGow said:
Companies consistently break the law and when they do they don't really get punished. Hell, HSBC was pretty much knowingly laundering money for Mexican drug cartels. https://www.rollingstone.com/politics/politics-news/outrageous-hsbc-settlement-proves-the-drug-war-is-a-joke-230696/

If they're willing to launder drug money and violate the Bank Secrecy Act and the Trading With the Enemy Act, what makes you think they're shaking in their boots about keeping a list of your phone numbers and SSNs, etc.



If you think "strong regulation" will stop anything... HAHAHAHAHAHAHAHA

Hell, If you think "strong regulation" will event get passed/legislated then double HAHAHAHAHAHAHAHA. The law makers are pretty much ALL wholly owned servants of the corporations. Good luck with that one. They're pretty much all corrupt. Something like 84% of all Americans, and both large majorities of Democrats and Republicans agree special interests shouldn't be able to make political donations. It's about the only thing the voters agree on across the political spectrum - that corruption is bad. Have any laws been passed to change it? Of course not, the ones benefiting from it are the ones that would have to change it.




See above, it won't happen.
Click to expand...

I doubt it will happen too, but don't doubt that it would be effective if it did.

The argument against regulation that "people break laws" is an incredibly stupid one. Yes people break laws. But laws are strong deterrents, and banning something, especially if the law has strong legal teeth definitely reduces its occurrence. There will always be the few jackasses who think they are above the law, and then you just need to drop the hammer on them.

I've been broght in to quite a few companies to mop up the mess and make them compliant after they have been forced to operate under FDA Warning Letter or Consent Decree after their non-compliance has been found. It isn't pretty, costs the companies billions and shareholders ask for heads to roll. It's a very strong deterrent.
 
Jesus the amount of ignorance in this thread. You guys are too smart to get spun up like a low iq lynch mob and quit implying Elasticsearch in this. If thieves open your unlocked car and steal something out of it do you then blame the car manufacture? Settle down. The exposure is scary and should be investigated for sure, but blame the right people.

I think I see the confusion. Some of you seem to think that Elasticsearch is some company that stores all this data for its customers in some monolithic cloud location like Equifax. This is 100% not the case. Elasticsearch simply developed the software that anyone can download and use and unfortunately potentially expose to the world.

It is no different than running your own email software that gets hacked. It is not the fault of the software that you left it exposed.
 
Rahh said:
Until our Government starts punishing companies like Anthem, EquiFax, and etc. more harshly this will continue to happen... Nowadays we have to have extra insurance out on our identities that costs us more money we previously didn't have to do and what I think our Government should be providing anyways.
Click to expand...

And guess who will sell you that insurance? Equifax will. They will sell you insurance to cover data losses they are responsible for. Sounds like they are motivated to fix the problem eh?
 
Hatriot said:
Jesus the amount of ignorance in this thread. You guys are too smart to get spun up like a low iq lynch mob and quit implying Elasticsearch in this. If thieves open your unlocked car and steal something out of it do you then blame the car manufacture? Settle down. The exposure is scary and should be investigated for sure, but blame the right people.
Click to expand...

It is two fold. When you decide to keep a bunch of information like that you should take ownership of it. If thieves robbed my car because the manufacturer created a lock that didn't work, yes they are to blame as well. Otherwise if we don't hold people accountable for this, why bother with any security at all? Ill just run a database of everyones credit info and no security because if someone steals it, the theif is the blame not me.

So before you call everyone ignorant, at least have some idea of what you are talking about.
 
I don't even care anymore, might as well make a yellow pages for personal information cause I don't even think it matters anymore. We need enhanced security for transactions more than anything else. Magnetic strips and 16 digit numbers are NOT enough.
 
Zarathustra[H] said:
Going back to the 19th century is not the solution.

Regulating what data can be kept on users, and requiring positive security validations is.

We need a new government agency that is as hardass as the FDA that requires positive validated security protocols, that only the minimal amount of needed data is collected, etc. etc. BEFORE a system goes live, and has the legal power to walk executives of companies that are not compliant out in cuffs.

PROVE to me that you have all the industry standard best practices for security in place before you are allowed to go live, and then follow up with periodic audits to make sure they are still compliant, and if they are not, slam 'em, with everything you've got.

Sure it might take a few years to get approval to launch a new service that uses data, but I have no sympathy. This needs to be fixed.
Click to expand...

There's a privacy law similar to the GPDR working it's way through Congress, though it's an open question if it can get enough votes in the Senate or survive a veto.
 
In future just use this form:
Company ____________ had a data breach affecting _____________ users. They will give all affected customers a free year of data protection. For more details go to www.__________.____ and enter your social security number to see if you were compromised.
 
NickJames said:
I don't even care anymore, might as well make a yellow pages for personal information cause I don't even think it matters anymore. We need enhanced security for transactions more than anything else. Magnetic strips and 16 digit numbers are NOT enough.
Click to expand...

True, at this point with the amount of breaches, is there even any new data being released? LIke is anyone new being exposed or have we already hit about 95% by now :/
 
Darunion said:
It is two fold. When you decide to keep a bunch of information like that you should take ownership of it. If thieves robbed my car because the manufacturer created a lock that didn't work, yes they are to blame as well. Otherwise if we don't hold people accountable for this, why bother with any security at all? Ill just run a database of everyones credit info and no security because if someone steals it, the theif is the blame not me.

So before you call everyone ignorant, at least have some idea of what you are talking about.
Click to expand...

Uhhh, I got news for you: The entire Internet is insecure. The big thing just today is that Sennheiser basically broke HTTPS.

https://arstechnica.com/information...-blunder-that-cripples-https-on-pcs-and-macs/

The problem with the Internet is it relies almost entirely on everyone "doing the right thing" and tends to break for everyone if one person or company doesn't. Your data is only as secure as the least secured website.

If security is ever going to be a thing, then the entire Internet will have to be redesigned at the protocol level with security in mind.
 
Darunion said:
It is two fold. When you decide to keep a bunch of information like that you should take ownership of it. If thieves robbed my car because the manufacturer created a lock that didn't work, yes they are to blame as well. Otherwise if we don't hold people accountable for this, why bother with any security at all? Ill just run a database of everyones credit info and no security because if someone steals it, the theif is the blame not me.

So before you call everyone ignorant, at least have some idea of what you are talking about.
Click to expand...

Still ignorance.

Elasticsearch creates a security suite for their product called X-pack. It works. It however COSTS MONEY, these companies are using the FREE open source version that has no security.

Stop blaming elastic.co, they did absolutely nothing wrong.
 
Darunion said:
It is two fold. When you decide to keep a bunch of information like that you should take ownership of it. If thieves robbed my car because the manufacturer created a lock that didn't work, yes they are to blame as well. Otherwise if we don't hold people accountable for this, why bother with any security at all? Ill just run a database of everyones credit info and no security because if someone steals it, the theif is the blame not me.

So before you call everyone ignorant, at least have some idea of what you are talking about.
Click to expand...

I promise that I know more about Elasticsearch and PCI compliance than you. I actually have it open in another window, and know the fines for violating the compliance. Your reply just expands the ignorance. You state when you decide to keep a bunch of information you should 100% take ownership of it. This is the head slapper. The company Elasticsearch did not "keep" the data. Another company, potentially Data & Leads, used Elasticsearch's product to store the data and the fool who put the data into the system then exposed that system on public facing servers. How you can attempt to blame the developer of the software for the incompetence of its users is mind boggling to me. In your example of running a database which gets compromised, in your logic the developer of the database should be held accountable and not you for not enabling security. Do you not see the idiocy of this?
 
This is the double edged sword of Advertising. The target ads to people to generate more money for companies, then they track you to target your interests.

When they are nonchalant about the security they have on their databases, they screw over everyone. Greed ruins more lives than pretty much anything else.
 
You must log in or register to reply here.
Back
Top