Leaky Database Exposes the Data of 20 Million Russian Nationals

Exposed databases are becoming an increasing problem for the public. In a recent report published by Comparitech, along with Bob Diachenko, an exposed server exposed the personally identifiable information (PII) of over 20 million Russian nationals. PII is most commonly seen as any data that could lead to the identifying of the individual, credit card information, identity number, medical records, and social security numbers are all examples of PII. The sensitive information was exposed from 2009 to 2016 and formed part of an Amazon Web Services (AWS) Elasticsearch cluster. The cluster in question was not protected by any form of encryption or password protection.

Within the cluster, devoid of any form of security, researchers discovered multiple databases. It was two of these databases that would have been of particular interest to any hacker and in turn the researchers. The two databases contained PII and tax information belonging to individuals. This information could be used in targeted phishing attacks or identity theft campaigns.

The first database stored over 14 million records from 2010 to 2016, whereas the second contained 6 million records from 2009 to 2015. Data discovered included names, addresses, residency status, passport numbers, phone numbers, tax IDs, employer names, telephone numbers, and other tax associated information. Most of the records were traced to belong to residents of Moscow and the city’s surrounding areas.

Researchers informed the owner of the server, who promptly made sure the server could not be accessed without any credentials. However, the owner did not respond to any emails sent by the researchers regarding the matter. The server was first indexed by search engines in May 2018. The server was then later discovered by Dianchenko on September 17, 2019, who then tracked down the owner.

leaky elsticsearch database exposes 20 million russians

The data could no longer be accessed by September 20, 2019. Such work done by security researchers, namely the searching of exposed web servers, has been interpreted by some as snooping. However, such work and effort do make the Internet a slightly safer animal. Rather have researchers responsible for organizations discovering such data rather than hackers. Researchers noted that,

“We cannot determine whether anyone else accessed the data while it was exposed. We could only determine that the owner is in Ukraine and know little more about the party responsible.”

Information Belonging to Ecuadorians also exposed

It is not only Russian residing in and around Moscow they need to be on the lookout for their information been used illegally. Security researchers Noam Rotem and Ran Locar discovered another unsecured Elastisearch server. This time the data held within the server contained a total of approximately 20.8 million user records of Ecuadorian nationals. This number is considerably larger than the country's total population count of over 16 million. The discrepancy in the number was attributed to duplicate entries, as well as records of already deceased individuals. The two researchers shared their findings exclusively with ZDNet who noted that the data was spread across multiple indexes from multiple sources. Personal information discovered included names, information on family members, civil registration data, financial, work information, and data relating to car ownership.

Researchers concluded that the data was from both governmental origin and that of private industry. The most extensive data appears to have been gathered from the Ecuadorian government's civil registry. This data contained entries holding citizens' full names, dates of birth, places of birth, home addresses, marital status, identity numbers, employment information, phone numbers, and education levels. Interestingly data associated with Julian Assange, the founder of WikiLeaks who, while not being an Ecuadorian citizen, received asylum from the countries embassy in London. From the private industry two indexes in particular contained data any hacker would pay good money for. In total ZDNet, in verifying the findings of the researchers, found seven million financial records, including 2.5 million car ownership records.

As to the source of the data both the researchers and ZDNet discovered that the exposed server belonged to a local company named Novaestrat. The company is advertised as one which provides analytics services for the Ecuadorian market. The researchers, working for vpnMentor, published a report on their findings noted that contacting the company was not an easy task and had to employ the help of Ecuador’s CERT team to facilitate contact. The researchers were also quick to highlight the dangers of such information falling into the wrong hands, stating that,

“This information leaves individuals at risk of email and phone scams. Hackers and other malicious parties could use the leaked email addresses and phone numbers to target individuals with scams and spam…Phishing attacks could be tailored to the individuals using exposed details to increase the chances that people will click on the links…This data breach is particularly serious simply because of how much information was revealed about each individual. Scammers could use this information to establish trust and trick individuals into exposing more information.”

Further, the dangers relating to identity theft and fraud were summarised as,

“Another issue is the highly private and sensitive nature of some of the leaked information…Most concerningly, the leaked data seems to include national identification numbers and unique taxpayer numbers. This puts people at risk of identity theft and financial fraud…A malicious party with access to the leaked data could gather enough information to gain access to bank accounts and more…Additionally, access to automotive details can assist criminals in identifying specific vehicles and their owner’s address.”

Due to the impact on individuals such information, when used maliciously, can have companies are implored to secure all servers by insisting authentication systems are in place and access rules are implemented throughout the organization.

Click to post a comment

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal