LONDON (Labour Buzz) - That’s around 16% of the world’s population, of around 7.7 billion, affected by a single data breach. Though it doesn’t outstrip the largest data breach in history, which is that of Yahoo, affecting 3 billion user accounts in 2013 and 2014. As of yet, it doesn’t appear to match the severity, but what happens to the data in the wrong hands could be critical. This latest breach appears to involve an unprotected server, whereas the Yahoo data breach almost certainly involved malicious actors from the outset.
Regardless, this latest data leak is unique, mammoth in size, and raises immediate concerns. The data seems to have originated from multiple datasets and potentially more than one data broker. The data includes social media accounts, email addresses, and telephone numbers, the three billion user accounts, and 650 million unique email addresses, a total of four terabytes of data.
Consider the Yahoo breach, not to mention the 500 million record Marriott International Breach, the eBay breach, the Equifax breach, and let’s not add the Facebook and Cambridge Analytica scandal; and hundreds of other breaches. We have GDPR in Europe and other global regulators are considering or implementing data privacy regulations.
So, have we not yet learned to better protect consumer data?
It appears not. Risk Based Security’s mid-year data breach report for 2019 totted up at least 3,800 breaches for the first half of this year exposing 4.1 billion records, then add the latest breaches and now this huge breach.
Onto the details, cybersecurity experts Bob Diachenko and Vinny Troia discovered the unprotected database containing the records on an Elasticsearch server. It could be accessed by anyone with the server’s web URL without needing a password and the data could be easily downloaded. It included Facebook, Twitter, Github, and LinkedIn profile information but NOT passwords and credit card numbers. It’s since been taken offline.
Troia told WIRED:
“This is the first time I've seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs.”
He believes the data came from multiple sources, or datasets. Some of it came from the data broker People Data Labs (PDL). It is one of many companies that sells information about internet users to brands who use it to target them with specific advertising campaigns and content. But the server where the information was discovered did not belong to PDL. What may have happened is the data was bought from PDL, then left for all to discover on the server, whether unintentionally or not has yet to be established.
PDL’s co-founder Sean Thorne told WIRED:
“The owner of this server likely used one of our enrichment products, along with a number of other data enrichment or licensing services. Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility.”
Troia believes some of the data may have originated from Oxydata, under similar circumstances. Oxydata says the information has not been leaked from their database and the dataset is likely the work of a “third party” though the raw information could well have originated from one of their customers.
In what appears to be Troia’s initial revelation at DataViper he describes how data enrichment companies work. They take what can be one piece of information on a person and expand the user profile with what can be hundreds of new items of information, for a fee. The buyer gets the information it pays for, but the data broker or enrichment company also keeps a copy to add to its records, growing them exponentially. Troia writes:
“As seen with the Exactis data breach, collected information on a single person can include information such as household sizes, finances and income, political and religious preferences, and even a person’s preferred social activities.”
Troia speculates what mystery organization got hold of the data and if they were a customer of both PDL and Oxydata, he writes:
“If this was a customer that had normal access to PDL’s data, then it would indicate the data was not actually “stolen”, but rather mis-used. This unfortunately does not ease the troubles of any of the 1.2 billion people who had their information exposed.”
“If this was not a breach, then who is accountable for this exposure?”
The incident has been reported to the FBI and there is no indication at present that any illicit actors obtained or have used the data, though there is always that chance. Cyber-expert Troia passed the exposed records to the website HavelBeenPwned where users can check if their data has been exposed. Without FBI intervention the Google Cloud Server owner won’t be revealed by the provider.
Security researcher Troy Hunt, who runs HavelBeenPwned says:
“What stands out about this incident is the sheer volume of data that’s been collected and how it’s been aggregated, stored, and commercialized without the knowledge of the data owners.”
Hunt believes “more data than ever” is “circulating” adding:
“It’s not just due to more data breaches, it’s also due to the propagation of data that’s already been breached. We’re seeing that data then taken by other services, duplicated, then breached again."
The breached data could be used in cyberattacks on consumers and businesses
Despite the breached data not containing passwords and credit card information, in the wrong hands it can be used by cybercriminals applying social engineering and phishing scams. Illicit actors can use small snippets of information to trick individuals out of valuable information and combine it with other information to enable data theft and credential stuffing.
PDL’s website, as per Bloomberg, says its data includes over 70% of decision makers in the US, UK and Canada. So, the breached data set may contain very valuable information that cybercriminals can use to target these high value individuals. In fact, it’s evident that cybercriminals are using more and more sophisticated methods, beginning with data gathering, to target executives as well as everyday consumers. CEO fraud, for example, or business email compromise, cost companies over a billion dollars in 2018.
(Written by Melanie Kramer, edited by Michael O'Sullivan)