Bob Diachenko, cybersecurity researcher and security leader at Camparitech, discovered an unprotected Elasticsearch server exposing the personal data of over 106 million international travelers to Thailand. The unsecured database, which included tourists’ sensitive information such as full names, passport numbers, and arrival dates, was exposed online, allowing anyone to access the data. Diachenko also confirmed that the leaky server exposed his own name and entries to Thailand. However, the database has now been secured after he reported the issue to the Thai authorities.

Diachenko claimed that any tourist who traveled to Thailand in the last 10 years might have had their personal data exposed in the incident.

What was exposed in the breach

The database hosted over 200GB of users’ data (more than 106 million records). The exposed information included:

• Date of arrival in Thailand
• Full name
• Sex
• Passport number
• Residency status
• Visa type
• Thai arrival card number

The Breach Impact

The Thai authorities stated that there is no sign of any misuse of the leaked data. While no financial data was leaked in the incident, the other exposed information could lead to various security risks if threat actors access it.

“Any foreigner who traveled to Thailand in the last decade or so probably has a record in the database. There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues. None of the information exposed poses a direct financial threat to the majority of data subjects. No financial or contact information was included. Although passport numbers are unique to individuals, they are assigned sequentially and are not particularly sensitive. For example, a passport number can’t be used to open bank accounts or travel in another person’s name on its own,” Diachenko stated.

Unsecure Databases Attract Threat Actors

Threat actors are always on the hunt for unsecured servers. In this case, there is no evidence of how long the database was left exposed before Diachenko’s disclosure. However, a honeypot was planted to monitor hacker intrusions.

“Notably, the IP address of the database is still public, but the database itself has been replaced with a honeypot as of the time of writing. Anyone who attempts access at that address now receives the message: This is honeypot, all access were logged,” Diachenko added.

A honeypot is a security mechanism used to detect or counteract unauthorized intrusions of network and information systems. Earlier, a honeypot experiment from Camparitech found that attackers find and access unprotected databases in hours. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. Comparitech left the exposed data from May 11 until May 22, 2020. It found 175 attacks in just eight hours after the server deployed, with the number of attacks in one day totaled 22.

The post Personal Data of 106 Mn Visitors to Thailand Left Exposed Online appeared first on CISO MAG | Cyber Security Magazine.

According to the report, the exposed database belongs to cybersecurity analytics firm Cognyte, which was exposed online without password protection, allowing open access to strangers. The exposed database was stored by Cognyte, a cybersecurity analytics firm that stores data as part of its cyber intelligence service, which is then used to alert customers about third-party data breaches. “If a client’s contact information appeared in the database, for example, they could receive an alert notifying them that one of their accounts had been compromised. Or if they use a password that has previously been breached, they could get a notification to change it,” Cognyte said.

The leaky database is now secured after Bob Diachenko reported the issue to Cognyte.

“Cognyte was able to rapidly respond to and block a potential exposure. We appreciate such a responsible and constructive approach, which helps to raise awareness and induces companies and organizations to implement security safeguards and better protect their data,” Cognyte said.

The Data Breach Timeline

While it is unknown whether any attackers misused the leaked data, the researchers stated that the database was exposed online for at least four days:

• May 28, 2021: The database was indexed by search engines.
• May 29, 2021: Diachenko discovered the leaky database and immediately notified Cognyte.
• June 2, 2021: Cognyte secured the database.

What data was exposed?

The database held over 5,085,132,102 records that contained information including, name, email address, password, and data source. “Not all of the data breaches from which the data was sourced included passwords, however, we could not determine an exact percentage of records that contained a password. We do not know if any other third parties were accessing the data when it was exposed, nor do we know for how long it was exposed before being indexed by search engines. Our honeypot experiments show that attackers can find and access exposed data in a matter of hours,” Cognyte added.

Security Risks from Data Leaks

Cybercriminals often exploit the personal information obtained from data breaches to steal identities and misuse it to launch credential stuffing attacks, phishing, and other fraudulent scams. Several threat actor groups often get hold of such leaked data and threaten companies to expose it online or demand ransom.

Every minute is an opportunity for threat actors if they find an unsecured server left online. Attackers can find and access exposed data in a matter of seconds or hours. Another security experiment by Comparitech discovered that cybercriminals attacked a model of an unsecured database 18 times in a single day. The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. It found 175 attacks in just eight hours after the server was deployed, and the number of attacks in one day totaled 22.

Talking about the incident to CISO MAG, Diachenko said, “It is not the first time I encounter this type of exposure. The amount and sensitive nature of previously leaked data is tremendous, so should be the efforts of any organization in possession of this data to keep it as secured as possible and prevent it from “re-leaking”. In my opinion such incidents are no less dangerous as the original data breaches collected in such troves.”

The post Another Case of Unprotected Database: 5 Bn Records from Previous Data Breaches Leaked appeared first on CISO MAG | Cyber Security Magazine.

About the Exposé

As per Comparitech’s blog, Diachenko found two large unsecured Amazon S3 Buckets of Premier Diagnostics, however, he was initially unaware of who they belonged to. One of these S3 buckets was named patient-images and contained 207,524 images of patients’ photo ID scans. Whereas the second S3 bucket, which was named paper-records, included a tabular database of names, dates of birth, and test sample IDs from patients who took COVID-19 tests from their 11 diagnostic centers across Utah. Giving a detailed case study of how things panned out, Comparitech published the following timeline:

• January 25, 2021 – The first of the two databases was indexed by a search engine.
• February 22, 2021 – Diachenko discovered the exposed data and began his investigation to identify the owner.
• February 24, 2021 – Unable to identify the owner, Diachenko sent an alert to the Amazon Web Services security team. He received a response that the owner would be informed via internal channels.
• February 25, 2021 – After further examination of exposed data, Diachenko identified Premier Diagnostics as the likely owner, and sent a disclosure accordingly.
• March 1, 2021 – After several days with no response, Comparitech’s editorial team was able to establish contact with Premier Diagnostics. The data was secured later in the day.
• March 5, 2021 – Premier Diagnostics requested additional time for security experts to review their infrastructure.

Related News:

Cybercriminals Attacked Unsecured Databases 18 Times Per Day

Doing the math, the number of images exposed was more than 200,000 however, the number of patients affected was only over 50,000. Something did not add up correctly. Comparitech reached out to Premier Diagnostics and found that “each patient is associated with four images: the front and back of a medical insurance card, and the front and back of a second ID such as a driver’s license or passport. That means roughly 52,000 patients are affected.”

The data has now been secured by Premier Diagnostics and no exploitation of the details has been registered as of now. However, the type of data exposed in this incident can lead to identity theft, phishing attacks, health insurance fraud, etc. against the patients who have been affected. Owing to this we request all the patients who have taken the COVID-19 tests at Premier Diagnostics to be alert and monitor all financial and important services associated with them that are linked with the exposed data.

Related News:

Microsoft’s Unsecured Bing Mobile App Exposes 6.5TB of Users’ Data

The post Unsecured Server Exposes PII of 50,000 Patients in Utah appeared first on CISO MAG | Cyber Security Magazine.

Information Exposed

Diachenko found three identical copies of the scraped data from social media pages, which were hosted at three separate IPv6 addresses. The datasets include:

• 96,714,241 records scraped from Instagram
• 95,678,713 records scraped from Instagram
• 42,129,799 records scraped from TikTok
• 3,955,892 records scraped from YouTube

The records contain personal information like profile name, full real name, profile photo, account description, whether the profile belongs to a business or has advertisements. It also includes statistics about follower engagement, including number of followers, engagement rate, follower growth rate, audience gender, audience age, audience location, likes, last post timestamp, age, and gender.

The misconfigured database is said to have come from now-defunct company called Deep Social, however the database is presently owned by a company named Social Data. Social Data acknowledged the exposure but has denied any connection with Deep Social.

“Evidence suggests that much of the data originally came from a now-defunct company: Deep Social. The names of the Instagram datasets (accounts-deepsocial-90 and accounts-deepsocial-91) hint at the data’s origin. Based on this, Diachenko first contacted Deep Social using the email address listed on its website to disclose the exposure. The administrators of Deep Social forwarded the disclosure to Social Data. The CTO of Social Data acknowledged the exposure, and the servers hosting the data were taken down about three hours later,” Comparitech stated in its report.

Fate of the Exposed Data

Attackers could take advantage of the exposed data to launch credential stuffing attacks. “The information stored in this database is vulnerable to spam marketing and phishing campaigns. Users of Instagram and TikTok should be on the lookout for scams and phishing messages either sent directly or posted in comments. Even though the information is publicly available, the size and scope of an aggregated database makes it more vulnerable to mass attacks than it would be in isolation,” Comparitech added in its report.

While the unsecured database was discovered on August 1, 2020, the Comparitech researchers stated that they do not know how long the data was exposed before the disclosure, and it is unclear whether any unauthorized party accessed it or not.

The post Data Scraped from Instagram, TikTok and YouTube Exposes 235 Mn Social Media Profiles appeared first on CISO MAG | Cyber Security Magazine.

According to the research, hacking is the topmost cause of data breaches in schools and colleges, with 45.9% of hacking incidents reported. Accidental data disclosure is second with 21% incidents in schools and 27.3% in colleges, followed by data theft or loss of data storage devices (11.1% in schools, and 14.7% in colleges).

Other findings from the research include:

• California is a hot spot for both college and K-12 data breaches with 12.2% of the 985 college data breaches and 10.6% of the 21.5 million records affected.
• New York reported most of the data breaches, with 63 breaches affecting almost half a million records.
• Arizona is one of the worst-hit states by number of records affected, with 2.83 million people affected.
• Wyoming is the only state to have no known reported education breaches.
• 2008 had the most education data breaches, but 2013 and 2017 were the biggest years by the number of records affected.
• The majority of records compromised in college data breaches with 3.07 million and 2.9 million records affected in 2013 and 2017 respectively.
• The biggest years for K–12 schools were 2018 and 2019 with 991,340 and 804,734 records affected, respectively.

“There does not appear to be any kind of trend in the breach numbers for K-12 schools or colleges, nor does there seem to be a pattern with college records affected. However, over the past few years, there has been a significant increase in the number of school records affected,” the report said.

Ransomware Attacks on K-12 Schools

Earlier, a similar report revealed that around 86 universities, colleges, and school districts were impacted, which in turn disrupted operations of nearly 1,224 individual schools due to ransomware attacks. The report also shared a list of  top three incidents of public schools being affected by ransomware attacks.

K-12 Cybersecurity Act

In order to address the rising cyberthreats on K-12 schools, two U.S. Senators, Gary Peters (Michigan) and Rick Scott (Florida), both members of the Senate’s National Security and Government Affairs Committee, have tabled a bill called “K-12 Cybersecurity Act” in December 2019. The Act directs the DHS Cybersecurity and Infrastructure Security Agency (CISA) to first study the specific cybersecurity risks associated with K-12 educational institutions. Once the study is done, CISA will then be responsible to develop cybersecurity recommendations and set up online tools to help schools with their cybersecurity requirements.

The post U.S. Schools Suffer Over 1,300 Data Breaches Since 2005 appeared first on CISO MAG | Cyber Security Magazine.

In a security alert, Comparitech explained how unauthorized third parties find, gain access, and alter exposed data without any authentication process, leaving users’ privacy at risk.

The company set up a honeypot to know how quickly the hackers would attack an Elasticsearch server with a dummy database and fake data in it. Comparitech left the exposed data from May 11 until May 22, 2020. It found 175 attacks in just eight hours after the server deployed, with the number of attacks in one day totaled to 22.

“The first attack came on May 12, just 8 hours and 35 minutes after deployment. Our honeypot averaged 18 attacks per day,” Comparitech said in a statement.

Comparitech also pointed out that hackers used IoT search engines like Shodan.io or BinaryEdge To find vulnerable servers online. “Within just one minute of being indexed by Shodan, two attacks took place. It’s worth noting that over three dozen attacks occurred before the database was even indexed by search engines, demonstrating how many attackers rely on their own proactive scanning tools rather than waiting on passive IoT search engines like Shodan to crawl vulnerable databases,” the statement added.

Attackers Location

The researchers found attackers’ locations based on their IP addresses. The highest numbers of attacks originated from:

• 89 attacks came from the U.S.
• 38 attacks came from Romania
• 15 attacks came from China

Attack Methods Used

Researchers found that most requests were aimed at getting information about the status of the database and its settings. These include:

• 147 attacks used the GET request method
• 24 attacks used the POST method, which was particularly popular for attacks originating in China
• One attack used the PUT method with the intent to change the server configuration
• One attack used the OPTIONS method to get information about the connection
• One attack used the HEAD method to get the headers of requests without receiving the responses

All attackers were not looking to steal data. Some targeted servers to mine cryptocurrency, steal passwords, and destroy data, Comparitech stated.

The post Cybercriminals Attacked Unsecured Databases 18 Times Per Day appeared first on CISO MAG | Cyber Security Magazine.

Comparitech stated that it found improvement in Australia’s cybersecurity readiness with an overall score of 13.95 when compared to the previous year’s 16.34 (lower scores represent better ranking). The scores are based on the indicators of compromise like the percentage of mobiles infected with malware, the frequency of financial malware attacks, and the number of computers infected with viruses in a country. It’s found that 4.86% of mobiles in Australia were infected due to malware attacks, which is twice the rate of higher-ranked countries like Denmark, Turkey, Norway, and Croatia.

Least Cyber-Secure Country in the World

According to the study, Algeria is the least cyber-secure country in the world with computer malware infection rates (19.75%) and its preparation for cyberattacks (0.262).

Most Cyber-Secure Country in the World

The study findings revealed Denmark as the most cyber-secure country in the world with low scores across the most of categories. The other top-performing countries included Sweden, Germany, Ireland, and Japan.

Australia has taken some recent initiatives to increase its cyber capabilities. In January, it added a new cybersecurity innovation node to AustCyber (Australian Cyber Security Growth Network).

Tasmania’s Cybersecurity Innovation Node, which was launched in Launceston on January 30, 2020, is the new addition to AustCyber, which is a  national network of cybersecurity innovation nodes. AustCyber nodes are designed to strengthen and accelerate Australia’s cyber capabilities and technical innovation.

AustCyber is a non-profit organization established by the Australian Government, under its roadmap for growing a cybersecurity sector for Australia at par with its international counterparts. The Tasmanian node now joins five other state and territory nodes in the country. These nodes are bound by bilateral partnerships between AustCyber and Australia’s State and Territory governments. Each node commits to the national priorities, as defined by the AustCyber’s business strategy and Cybersecurity Sector Competitiveness Plan, and is co-funded with AustCyber in its state and territory and primarily focuses on local cybersecurity workforce and business development and challenges, as long as they are not in conflict with national needs.

The post Australia Climbs 12 Positions High in Cybersecurity Rankings appeared first on CISO MAG | Cyber Security Magazine.

The study was conducted by tech firm Comparitech and considered seven criteria:

• The percentage of mobile devices infected with malware
• The percentage of computers infected with malware
• The number of financial malware attacks
• The percentage of all telnet attacks by originating country
• The percentage of users attacked by cryptominers
• The best-prepared countries for cyberattacks
• The countries with the most up-to-date cybersecurity legislation

Specific to Japan’s cybsersecurity readiness, the study reveals that it is the fifth most cyber-secure country. However, its ranking for this parameter dropped four places since the previous year’s study. Denmark tops the list as the most cyber-secure country.

The study attributes a weaker score for Japan due to the increase in mobile ransomware (from 1.34% to 1.97%), an increase in computer ransomware (from 8.3% to 9.17%), and telnet attacks from the country (while these reduced from 1.23% to 1.06%, this was still a higher figure than quite a few other countries). However, Japan’s score for preparation for cyberattacks and cryptominer attacks has improved. Japan has the lowest percentage of attacks by cryptominers – 0.17% of users. It is the fourth country on the list with the lowest malware infection rates in computers — 22.24%.

Japan’s cybersecurity readiness

Japan is gearing up for the Tokyo 2020 Olympic and Paralympic Games this summer, however, the website for Olympics and Paralympic Games might be vulnerable to cyberthreats, such as ransomware, fake entry passes, and leaks of personal information.  Owing to the high volume of tourists and possible threat analysis conducted by the governing authorities, Japan’s Communication Ministry has tabled a set of an emergency proposal that includes guidelines to mitigate risks and incidence response for cyberattacks.

The Communication Ministry panel identified certain devices and technologies including IoT (Internet of Things) devices that are vulnerable to cyberattacks. The emergency package says that, “it is desirable to consider publishing information on cyberattacks swiftly at the point in which leaks of personal information are suspected,” calling for information-sharing with relevant organizations.

The post Increasing Ransomware Attacks on Japan Impacts its State of Cyber-Readiness: Study appeared first on CISO MAG | Cyber Security Magazine.

According to the researcher, the incident occurred due to illegal scraping operation or Facebook API abuse by cybercriminals in Vietnam.

Diachenko stated that 267,140,436 records were exposed in the incident, which could be used by attackers to launch SMS spam and phishing campaigns. The exposed data was also posted on a hacker forum for download.

After discovering the trove on December 14, Diachenko immediately notified the internet service provider managing the IP address of the server. It is said that the database was left exposed for nearly two weeks before it was taken offline on December 19.

“When we find exposed personal data like this, we take steps to notify the owner of the database. But because we believe this data belongs to a criminal organization, Diachenko went straight to the ISP,” Camparitech said in a statement.

It’s still unclear how hackers obtained the user IDs and phone numbers. But, Diachenko said that Facebook’s API could also have a security hole that would allow intruders to access personal data even after access was restricted. One more possibility, according to Diachenko, is that the data was stolen by scraping publicly visible profile pages.

“We are looking into this issue but believe this is likely information obtained before changes we made in the past few years to better protect people’s information,” a Facebook spokesperson said in a media statement.

This is not the first time that millions of Facebook users suffered a data breach. Recently, Facebook admitted a data breach involving 100 third-party app developers who had improper data access. In a blog post, Facebook’s Konstantinos Papamiltiadis, Director of Platform Partnerships revealed that app developers had access to user data such as group member names and profile pictures through the Group API.

The post Unprotected Database Exposed Personal Data of 267M Facebook Users appeared first on CISO MAG | Cyber Security Magazine.

A joint investigation by cybersecurity firm Comparitech and security researcher Bob Diachenko revealed that a database of more than 2.7 billion email addresses exposed online, allowing anyone to access identity information. It also stated that around one billion of those records contained a plain-text password list related to exposed email addresses. The leaky database was taken down on December 9, 2019, after Diachenko alerted the U.S. ISP that hosted the database on December 04, 2019.

According to reports, the majority of exposed emails were from Chinese domains including qq.com, 139.com, 126.com, gfan.com, and game.sohu.com, which belonged to China’s popular internet firms Tencent, Sina, Sohu, and NetEase.

“Comparitech immediately took steps to take down the database upon discovering in order to mitigate harm to end-users, but we don’t know if anyone accessed it in the meantime,” researchers said in a statement.

Risks with Exposed Data

Cybercriminals make use of the stolen data in credential stuffing attacks. In credential stuffing attack, a hacker tries to log into various user accounts with known email and password combinations. Attackers take advantage of the fact that most people reuse email ids and passwords for multiple accounts. Once hackers gain access to an account, they try hacking other accounts by changing password combinations. The compromised accounts are used for a variety of purposes including spam, phishing, fraud, and identity theft attacks.

Earlier, a similar leaky database left around 773 million email addresses and more than 21 million passwords unprotected online. According to security researcher Troy Hunt, the person behind the breach notification service website Have I Been Pwned, a huge database that includes records from more than 2,000 hacked databases was exposed online.

The breached data, which Troy Hunt dubbed as Collection #1, include around 773 million (772,904,991) unique email addresses and 21 million (21,222,975) unique passwords. Sized around 87 GB, the breached records also included 1,160,253,228 unique combinations of breached email addresses and passwords. Hunt stated the data breach is made up of various individual data breaches from thousands of other sources.

The post 2.7 Billion Email Addresses Exposed Online appeared first on CISO MAG | Cyber Security Magazine.