An Israeli marketing company exposed more than 140GB of data by mishandling the credentials for an Elasticsearch database.

A San Diego-based DevOps engineer who uses the Twitter handle 0m3n detected the disclosure after they grew tired of receiving text messages from “random phone numbers with similar messages containing links to gibberish domains.”

An example of an SMS marketing message received by 0m3n. (Source: ISMG)

The engineer took a look and discovered a .env file on the web server of one of the domains referenced in the text messages. This file was a configuration file that pointed to an Elasticsearch instance.

0m3n learned that a set of plaintext credentials included in the file unlocked the Elasticsearch database. At the time of discovery, this instance consisted of two indexes that contained 140 GB of people’s contact information including their names, phone numbers, email addresses and physical addresses.

Data breach expert Troy Hunt analyzed the exposed data and said that it contained 49 million unique email addresses. He also found that 70 percent of those email addresses were already included in his Have I Been Pwned data breach notification service.

A closer look at the Elasticsearch instance also uncovered the Laravel logs for an application developed by Israeli marketing company Straffic.io.

Upon learning of the exposure, Information Security Media Group (ISMG) contacted Straffic.io and filed a report with Amazon Web Services. The latter confirmed on February 20 that the database had been secured.

Straffic.io issued its own response just a few days after that. As quoted on its website:

We would like to bring to your attention that we have been reported that a security vulnerability has been found on one of the servers we use to provide our services. Following this report, we confirmed a weakness did (Read more...)