Experts Reaction On 1.2 Billion Records Found Online On An Exposed, Unsecure Single Server

By Security Experts | Information Security Buzz

News has broken that 1.2 billion records were found online on an exposed, unsecure single server. While it doesn’t include sensitive information such as passwords, credit card numbers, and Social Security numbers, it does contain profiles of hundreds of millions of people. This includes home and cell phone numbers associated social media profiles like Facebook, Twitter, LinkedIn and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.

EXPERTS COMMENTS
Ameesh Divatia, Co-Founder & CEO, Baffle | November 22, 2019

Companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them.

It is somewhat unique that the actual database was left exposed in this particular scenario. These continued breaches validate that more fail-safe protection methods need to be put in place to address gaps in the security model due to human error and data sharing with third parties. Companies need to have a stronger focus on data-centric protection around the actual data values, like record-level encryption.

This recent event further illustrates that external third parties remain a significant source of data loss risk. This begs the need for a different model of data sharing that limits exposure and centralizes data instead of distributing it outright to multiple external parties. This will result in consolidation of digital processing and utilize a privacy preserving analytics capability to support use cases for business intelligence and collaboration across multiple parties. Companies will need to come to grips with protecting the actual data and as part of a “shared responsibility” model.

 

Sammy Migues, Principal Scientist, Synopsys | November 25, 2019

In cryptography, algorithms are meant to be public and the keys are meant to be private.

In modern society, the algorithms that dictate much of what we see and hear are inscrutable and our widely-published personal information is the key to making those algorithms generate enormous amounts of revenue for the algorithm owners and arguable amounts of value for us. The reason this reality is less catastrophic than it could be is that everyone’s private data is grist for the mill. If the bad guys had only the private data of thousands, then those thousands of people would surely be in deep trouble. Given the data of billions, an individual is once again a needle in a needle stack. In cryptography, algorithms are meant to be public and the keys are meant to be private. If you require “security through obscurity” and keeping your algorithm private for your cryptosystem to be “secure,” you’ve made a serious misstep. There are almost certainly other choices to accomplish security goals.

 

Tim Mackey, Principal Security Strategist, Synopsys CyRC | November 25, 2019

If the data isn’t specific to the service being delivered (e.g. shipping address), then there is no shame in being blunt with the company.

This incident highlights multiple data privacy tenants. The most obvious of which being that given access to any data, organizations will find a way to use, and potentially misuse it. In this case, someone had access to user profile data from multiple social media platforms and then merged that data together with the combined data allowing users to be more readily identified. While the origin of the raw data is currently unknown, the existence of such a merged dataset should surprise no one. Nor should it be surprising that this merged dataset was unsecured and freely available on the internet. The core problem highlighted in this and other similar incidents is just how unaware most people are of just who might have access to their personal data from a data sharing agreement between businesses. While legislation like GDPR in the EU may enable consumers to request details on what data a specific organization might have collected on them, it’s often difficult for users to interpret the report given to them. Even when the report is clear, when data is transferred to a second organization there is no guarantee the same security practices were employed by both companies.

To better combat this challenge, consumers should question precisely what benefit they receive from providing a given data element, or if the data being requested mostly benefits advertising or profiling efforts. If the data isn’t specific to the service being delivered (e.g. shipping address), then there is no shame in being blunt with the company and asking why they need it, how they are going to secure it, and how you can verify they’ve done so properly. Only if we as consumers set higher privacy expectations with our providers will the current data sharing situation improve.

 

Robert Capps, VP,  NuData Security | November 25, 2019

Companies need to expedite the transition from credential and knowledge-based authentication.

Every day, we read headlines about new breaches and data exposures, so it is not surprising to come across places where this data is available for the taking. If anything, this finding should be a stark reminder that relying on credentials and personally identifiable information for user authentication is outdated.

Bad actors compile the same user’s information from different breaches and then go the victim’s social media pages to complete that profile. The discovery of this server with all the information it contained, is proof that fraudsters continue to work behind the scenes to amass consumer data while companies continue to utilise outdated password and security question to know it is you. Companies need to expedite the transition from credential and knowledge-based authentication, to security that verifies users based on their behaviour as well. By verifying users online with passive biometrics and behavioral analytics, breached credentials and answers to secret questions, are not enough to log into someone else’s account or to make a transaction. More companies today are implementing these technologies to protect their business and their customers from account takeover. Hackers are not able to mimic inherent user behaviour online, making the stolen credentials valueless.

 

Robert Ramsden Board, VP EMEA, Securonix | November 25, 2019

However, the data that was breached could expose individuals to identity theft, credential stuffing and phishing scams.

This data breach seems to just be the latest in what seems to be a never-ending string of incidents. Yet, the sheer volume of data that has been collected and left exposed online does make this one stand out. This data breach may not have included any sensitive data such as credit card numbers. However, the data that was breached could expose individuals to identity theft, credential stuffing and phishing scams. Individuals should use Troy Hunt’s HaveIBeenPwned website to check if any of their details were leaked in this breach or any others. In addition, users should be extra vigilant on each of these social media platforms and be particularly cautious over any attempted communications both via and (supposedly) from the platforms themselves.

 

Lev LesokhinSaryu Nayyar, CEO, Gurucul | November 25, 2019

They say the data exposed is not sensitive, but I disagree.

At 1.2 billion records exposed, this is one of the largest data leaks ever, but of course they just keep getting bigger. The situation of today’s digital world is that an increasing volume of personally identifying information is being harvested whenever we interact with organisations online. Legitimate companies can collect data about us from sources all over the Internet, and then combine that data into detailed profiles which they can then sell. If this data isn’t strongly secured, and it often isn’t, this information can easily end up on the dark web.

They say the data exposed is not sensitive, but I disagree. This type of data – names, addresses, email accounts, phone numbers and social media profiles – is a treasure trove for cyber criminals to hijack people’s accounts or launch the types of sophisticated social engineering exploits that often lead to fraud and identity theft.

 

Tim Erlin, VP of Product Management and Strategy, Tripwire| November 25, 2019

We often worry about the exposure of sensitive data.

We often worry about the exposure of sensitive data, but in this connected world, it’s the connections that matter most. Personal data that isn’t exactly secret, and might even be public, takes on new meaning when collected and connected. Repositories like these are concerning, not only because of the data they contain but because as an industry we don’t really have a way to measure the impact of this type of exposure.

 

Sam Curry, , Chief Security Officer, Cybereason | November 24, 2019

This latest exposure is like astronomy: billions and billions ceases to be personal or mean anything.

Once again the People Data Labs breach is a win for the black market and underground crime syndicates, as a treasure trove of personal information is available to criminals. As a society we have become inured to our personal data being exposed, and the real impact of stolen consumer data to individuals means a lot less today than it did five or ten years ago. Over the years, hundreds of billions of online accounts have been exposed, meaning that personal information on every human on the face of the earth has been stolen 20x or more.

This latest exposure is like astronomy: billions and billions ceases to be personal or mean anything. In reality, this data breach is a stark reminder that consumers need to rethink their own security hygiene. Today, everyone should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors. To keep threat actors at bay, please reset passwords regularly and don’t use the password 123456 or ABCDEF. In this day and age, and with a more complex and diverse attack surface, this is never a good idea. Laziness is no excuse, as hackers prey on this and their biggest asset is patience and time. Please tighten your passwords; and if you are one of the millions of people using 123456 – STOP!

 

Javvad Malik, Security Awareness Advocate, KnowBe4 | November 24, 2019

We need vendors, cloud providers, and system administrators to adopt a more security-conscious mindset.

This incident is less of a data leak and more of a full-on data tsunami. The biggest challenge when these kinds of repositories are found is that it’s near impossible to accurately identify who the owner is. It could be a company that legitimately records data or a third party tasked with compiling profiles, a researcher, or a criminal.

Regardless of who set it up. the fact that its insecure and publicly accessible means that anyone could have taken the data for any purpose.

While it is stated that sensitive data such as passwords weren’t included, the sheer volume of aggregated data makes the whole thing sensitive as a whole.

There is no easy fix to these kinds of issues, and we will likely continue to see such leaks. We need vendors, cloud providers, and system administrators to adopt a more security-conscious mindset so that across the digital realm a secure culture propagates. Making it difficult for anyone person to harvest data, aggregate in such large quantities, and leave publicly exposed.

 

Jason Kent, Hacker in Residence, Cequence Security | November 24, 2019

Clearly this data has been amassed for a purpose, we can speculate on what that is.

That this sort of data, let alone the size of the database, is available is pretty frightening. Until now the database information has been contextual, such as financial data from a financial database breach for instance. Here we see a new and potentially dangerous correlation of data like never before. If your occasionally used Gmail account is used for Facebook, and someone finds out about it, not that much can happen besides a low-level phishing attempt for Facebook credentials. The targets and attacks just aren’t worth the time. However, if an attacker has a rich set of data, they can formulate very targeted attacks. The sorts of attacks that can result in knowing password recovery information, financial data, communication patterns, social structures, this is how people in power can be targeted and eventually the attack can work.

This looks like some very sophisticated data mapping and correlation of not only breach data from various places but also combined with social media accounts and public data regarding things like home ownership. Having this much correlation means someone did quite a bit of work to put this together. Clearly this data has been amassed for a purpose, we can speculate on what that is, but keep in mind that it’s possible to build out fake online identities with very realistic data behind it and use those identities in an automated attack. This is the sort of thing that should be looked at by the Authorities because of the nature of the sophistication of the data correlation.

 

Dvir Babila, Head of Product Management, CyCognito | November 24, 2019

Troia noted in the original blog “all we can tell from the IP address (35.199.58.125) is that it is (or was) hosted with Google Cloud.

This is a massive breach and a major open question is who owned the server behind the breach. Troia noted in the original blog “all we can tell from the IP address (35.199.58.125) is that it is (or was) hosted with Google Cloud.” Determining the ownership of IT assets that exist in the shadows like this requires a lot of fingerprints, and you have to associate those fingerprints with other IT assets exposed on the internet to build a complete picture.

Doing this manually with tons of raw threat intelligence data is very challenging. Applying mathematical techniques, such as a graph data model, works well. With more of every organization’s IT assets living in cloud environments than ever, a new level of automation has to be applied to threat intelligence both for assessing risk and for dealing with post-incident forensics.

 

Stephan Chenette , Co-Founder and CTO, AttackIQ | November 24, 2019

Companies must take on the responsibility of analyzing the security of their IT environments.

Unfortunately in this incident there are a still many unknown details including who owns this database. It’s only a matter of time before that information comes to light, but no matter the owner, database misconfigurations are relatively basic mistakes that have massive consequences, as this incident clearly demonstrates. While it is currently unknown if the Elasticsearch server was accessed by unauthorized parties, there are 1.2 billion records at risk. Any organization that collects and stores consumer data must make protecting that data a priority. Companies must take on the responsibility of analyzing the security of their IT environments on an ongoing basis and continuously test the efficacy of their security controls to ensure any vulnerabilities or misconfigurations are identified and remediated in a timely manner.

 

Robert Capps, VP,  NuData Security | November 24, 2019

Hackers are not able to mimic inherent user behavior online.

Everyday, we read headlines about new breaches and data exposures, so it is not surprising to come across places where this data is available for the taking. If anything, this finding should be a stark reminder that relying on credentials and personally identifiable information for user authentication is outdated. Bad actors compile the same user’s information from different breaches and then go the victim’s social media pages to complete that profile. The discovery of this server with all the information it contained, is proof that fraudsters continue to work behind the scenes to amass consumer data while companies continue to utilize outdated password and security question to know it is you. Companies need to expedite the transition from credential and knowledge-based authentication, to security that verifies users based on their behavior as well. By verifying users online with passive biometrics and behavioral analytics, breached credentials and answers to secret questions, are not enough to log into someone else’s account or to make a transaction. More companies today are implementing these technologies to protect their business and their customers from account takeover. Hackers are not able to mimic inherent user behavior online, making the stolen credentials valueless.

 

Sudhakar Ramakrishna, CEO,  Pulse Secure | November 24, 2019

A zero trust framework with orchestrated data protection mechanisms is necessary.

This type of data breach is alarming due to the sheer amount of personal information exposed and the potential fidelity added to social media attack vectors. There should be little comfort in the fact that credit card or SSN numbers were not exposed, given the massive volume of profiles and contact information of hundreds of millions of people. The harsh reality of today’s evolving threat landscape and threat actor marketplace is this new data will be bought and sold on the dark web and can easily be combined with other exposed PII from one of the many data breaches in 2019 to create more comprehensive identity exploits. This highlights exactly why enterprises need to revisit auditing their data, access, controls and protection obligations. A zero trust framework with orchestrated data protection mechanisms is necessary. Servers and storage, whether being serviced, repurposed or sold, should never have this type of data in the clear.

 

Deepak Patel, Security Evangelist, PerimeterX | November 24, 2019

ATO attacks can be devastating to users.

Data breaches have contributed to the rise in account takeover (ATO) attacks and as a result, have been one of the most significant drivers for changes in cybersecurity in recent years. Data breaches have resulted in billions of username and password combinations being available on the dark web. This plethora of credentials–which is now even larger due to this new exposure– has resulted in a 65% year over year increase in ATO attacks in 2019 and $5.1 Billion in losses in 2018. ATO attacks can be devastating to users, who lose account access and personal data, and to retailers who experience increased operational costs and reduced revenues. It is imperative for online retailers to quickly review application security protocols and consider additional safeguards against such business logic attacks. Otherwise, these businesses risk compromise and massive damages from ATO attacks including chargebacks, increased customer support requests, lost revenue, brand damage and fines.

 

Salah Nassar, Vice President of Marketing, CipherCloud | November 24, 2019

The problem is the industry has not caught up to the simple fact that the perimeter has eroded.

1.2 billion records breached, add this to the billions of records made public over the last few years and the outcome is clear, there is no such thing as privacy in the cloud. With California Consumer Privacy Act just around the corner, this breach should be a cry for help or a battle cry for strict enforcement of data protection across all organizations collecting consumer data. For organizations to prove they have strong data-centric protection.

What’s most interesting is the multi-billion dollar industry focused on threat protection – yet the breaches continue. In 2019 we have seen advanced threat detection, remediation, amazing technology to identify threat behaviors based on almost scary levels of AI/ML – yet the breaches continue. The problem is the industry has not caught up to the simple fact that the perimeter has eroded. Their new network does not have a location therefore the data itself has to be the new locations. The focus should be on how to identify this sensitive data and protect it. Protect it as though it’s living on an open server with direct access to the public. The technology for this already exists. In fact, this is the oldest computer security – encryption.

 

Willy Leichter, VP of Marketing, Virsec | November 24, 2019

The data Genie is growing daily.

The data exposed appears to have been handled by at least two “data enrichment companies.” These organizations aren’t so different from the credit reporting agencies that collect our data. Oftentimes, we don’t know what’s in there, and there’s little recourse to correct it. Well-founded privacy concerns are the major impetus behind the California Consumer Privacy Act, GDPR & other state and national privacy laws now in the works. The goal of these is to enable users to explicitly control their data that’s “out there.” There’s been no “opt-in” for consumers who don’t want their data shared, and now the challenge is how to put the Genie back in the bottle.

The time to act is NOW. The reality is that the compiled and consolidated data that massive companies are now monetizing is a small fraction of what will be exposed in the years to come. As more companies use increasingly advanced AI to predict consumer behavior, there is enormous potential for both intrusions into and limitations on the average consumers’ life. Religious preferences, social activities, spending patterns, educational potential and more may become mere data points by which consumers are targeted or limited. Just as so many companies are now using consumer behavioral data to predict shopping, travel patterns and more, they could use customer data, including illegally sourced data, in ways that have the potential to be detrimental on entirely new levels.

The data Genie is growing daily. It’s urgent that authorities pass and uniformly enforce laws to give legal control to consumers over their data. It’s equally urgent that individuals today invoke greater care of their data in the absence of such laws, and that companies are far more diligent with data collected than we’ve seen in these last few years.

 

Mounir Hahad, Head, Juniper Threat Labs, Juniper Networks  | November 24, 2019

It doesn’t take much in terms of configuration mistakes to grant full access to an online database.

Unfortunately our data is more and more being handled by small companies with little expertise in securing it. It doesn’t take much in terms of configuration mistakes to grant full access to an online database. Sometimes it is caused by shadow IT: even if your security team is on top of cybersecurity best practices, workarounds by other departments will land the database in an insecure online location.

 

Paul Bischoff, Privacy Advocate, Comparitech | November 24, 2019

It demonstrates the need to regulate data brokers.

This data is a goldmine for cybercriminals setting up large-scale spam, scam, and phishing campaigns. These massive databases, whether they’re held by criminals or data brokers, are becoming more common. It demonstrates the need to regulate data brokers, and Vermont’s 2018 Data Broker Regulation is a good example. It forces data brokers to register with the state, maintain minimum security standards, and prohibits them from fraudulently acquiring data. I think it could go a step further by requiring data brokers to give people an option to opt-out of data sharing.

 

Colin Bastable, CEO, Lucy Security | November 24, 2019

Data farmers are not exactly making it hard for organized crime to run lucrative phishing, vishing and CEO attacks.

Once again, businesses are monetizing personal data on a massive scale, and abdicating responsibility for that data after it is sold. Data farmers are not exactly making it hard for organized crime to run lucrative phishing, vishing and CEO attacks. As well as all those “legit” calls, spam emails and texts, this data exposes people to significant risk of loss through cybercrime. Until consumers are given complete rights over the use of their data, it will continue to be aggregated, sold and resold with no consequences for the monetizers, but with long-term consequences for consumers.

 

Keith Geraghty, Solutions Architect, CEO, Edgescan | November 24, 2019

Social media companies should also be doing more to make users aware of privacy options and how to adjust them.

The sheer amount of data that has been exposed is the issue here. Its concerning to have such a large database wide open in the wild. The type of data exposed is not sensitive in nature however to an attacker it can be gold dust. The data will allow for large scale phishing campaigns against users. The attack path will likely be the usual methods of delivery such as emails, profile impersonations and scam phone calls. Also we may see wide spread brute force attempts made on applications which use email as the method of login. The disclosed profile information can also lead to other issues such as answers to recovery questions being discovered.

The first port of call for concerned individuals is to ensure ground zero is secure. That’s secure passwords, secure recovery questions, enforcing multi-factor authentication were possible and of course not opening mail or answering phone calls from unrecognised sources. We may see this leak on https://haveibeenpwned.com/ which is a website where users can check if their data was exposed. Users should also review the privacy settings in any social media platforms which they use do help combat against other routes of phishing attacks. For developers, ensuring lockout policies to block against brute force attempts is a good first step to take. Social media companies should also be doing more to make users aware of privacy options and how to adjust them.

 

External Link: Experts Reaction On 1.2 Billion Records Were Found Online On An Exposed, Unsecure Single Server

 

Share this page:

Related Posts