An Israeli marketing company exposed 49 million unique emails after needless authentication commands for an Elasticsearch database located on an unprotected web server.
In a vague update this week, Straffic, a private digital marketing company, said the incident was the result of a "security vulnerability" affecting one of the server her.
But it's not the whole story, and this event shows that huge databases are still at risk even when access to them requires control. identity.
Straffic is described as "a private network for affiliate affiliate affiliates with CPA [cost per action] & CPL [cost per lead] by trusted advertisers".
In a short message on Wednesday, the company announced that "a security vulnerability was found on one of the servers we use to provide our services."
The incident involved an Elasticsearch database with 140GB of contact information consisting of names, phone numbers, and postal addresses. While he was protected by password, it seems that the credentials were not stored correctly.
A security researcher was named 0m3n on Twitter found them in plain text on the web server. 0m3n - DevOps engineer with emphasis on security - decided to check the web server after receiving a link in a spam message.
Troy Hunt said that 70% of the emails in the Straffic database already existed on I Have Be Pwned, the data breach notification site he created. This means that many of these emails “did not come from previous ones violations", He says in response to Under the Breach on Twitter.
Indeed, security incidents can occur even when the best precautions have been taken and are more likely to occur when the credentials of the database data circulate online, especially when they are in plain text.
Hunt, who is very familiar with data breach notifications, points out that Straffic's announcement does not have the basic information that should be available on such a announcement. No details are given on the date of the event (or at least an estimate), what caused it, how it was made and the parties involved informed.