Elasticsearch Instances Expose Data of 82 Million U.S. Users

Personal information of over 82 million users in the United States was exposed via a set of open Elasticsearch instances, Hacken security researchers warn.

A total of 73 gigabytes of data were found during a “regular security audit of publicly available servers with the Shodan search engine,” HackenProof explains. At least three IPs with the identical Elasticsearch clusters misconfigured for public access were discovered. 

The first IP, which was indexed by Shodan on November 14, contained the personal information of 56,934,021 U.S. citizens. The data exposed to the Internet included information such as name, email, address, state, zip, phone number, IP address, and also employers and job title.

Furthermore, the security researchers discovered another index of the same database that featured over 25 million records. 

The information contained here included name, company details, zip address, carrier route, latitude/longitude, census tract, phone number, web address, email, employees count, revenue numbers, NAICS codes, SIC codes, and etc.

Overall, HackenProof says (PDF), 82,851,841 people were impacted by this data breach. A total of 114,686,118 records were found in the unprotected Elasticsearch instances. 

What the security researchers couldn’t establish for certain, however, was who the exposed database belonged to. However, they believe it might have come from Data & Leads Inc., due to similarities in the structure of the field ‘source’ in data fields. 

However, not only were the researchers not able to get in touch with Data & Leads Inc., but also the company’s website went offline shortly after the report on the data breach was published. 

The database is no longer exposed to the public, but Hacken couldn’t establish for how long it had been online before it was indexed by Shodan crawlers on November 14. They don’t know who else might have had access to it either. 

Elasticsearch, a distributed, RESTful search and analytics engine, stores data in installations that are bound to localhost by default, which is meant to keep them away from unauthorized access. However, although authentication and role-based access control are provided, not every Elasticsearch customer deploys it.

This has led to various types of attacks in the past as well, including a ransack attack last year, when 35,000 Elasticsearch clusters were found exposed to the public Internet. Earlier this year, a database owned by data broker firm Exactis was found exposing 340 million records (230 million on consumers and 110 million on business contacts).

Related: Massive Breach at Data Broker Exactis Exposes Millions of Americans

Related: Elasticsearch Servers Latest Target of Ransom Attacks