The data of 114 million businesses and individuals has been discovered in an unprotected database. The information exposed included the full name, employer, email, address, phone number and IP address of 56,934,021 individuals, and the revenues and employee counts for up to 25 million business entities.
Hackenproof, the Estonian cybersecurity company that found the data trove online, announced their discovery on their blog. The data was found on Shodan, an IoT-centric search engine that allows users to look up and access “power plants, Smart TVs, [and] refrigerators.” Shodan’s most popular search terms include “unprotected webcams” and “routers with default passwords.” (Side note: always change the default password on your devices.)
The data is thought to have originated from Data&Leads, Inc., which promptly took down their entire website as soon as the exposure was made public. A cached version of the company’s website shows that it promised “access to our massive in-house data collection, as well as one of the largest data supplier networks of any data or lead company.”
The data was exposed due to a misconfiguration of Elasticsearch, an open-source search engine technology. Similar misconfigurations have provided a bounty of other recent incidents, including:
- 340 million personal records leaked on Exactis
- 32 million SkyBrasil customers
- 1133 NFL players
- Several thousand ransomware attacks
The information made available from the Data&Leads leak, while not necessarily directly leading to breaches or identity theft for those exposed, can easily be exploited in combination with other information available on the dark web, or via phishing scams.
The reality of a legitimate company like Hackenproof scouring Shodan and Elasticsearch for unprotected record would suggest the strong possibility that hackers are out there trying to do the same. The takeaway? Secure your accounts and practice good data hygiene accordingly.