Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Sources
Related Stories
Massive MongoDB Exposure of 4.3 Billion Professional Records
A misconfigured MongoDB database containing approximately 16 terabytes of data was discovered exposed online, revealing 4.3 billion professional records. The database, found by cybersecurity researcher Bob Diachenko in collaboration with nexos.ai, included sensitive personally identifiable information (PII) such as full names, email addresses, phone numbers, job roles, employment history, education, and links to professional platforms like LinkedIn. The dataset was organized into nine collections, with at least three containing nearly two billion unique records each, and one collection alone holding over 732 million records with photographs. The database was secured two days after discovery, but it remains unknown who may have accessed the data during the exposure window. Analysis by Cybernews and other researchers indicated that the data likely originated from various sources, possibly through scraping and aggregation, and included enrichment metrics and Apollo.io IDs, though there was no evidence of a breach at Apollo.io itself. The scale and detail of the exposed information present significant risks for targeted phishing, social engineering, and identity theft. The owner of the database has not been confirmed, and the incident highlights ongoing risks associated with unsecured cloud databases and the aggregation of large-scale professional data sets.
3 months ago
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
1 months agoEY SQL Database Backup Exposed via Cloud Misconfiguration
A 4TB+ SQL Server backup file belonging to Ernst & Young (EY) was discovered exposed to the public internet due to a cloud storage misconfiguration. The backup, which was unencrypted, contained highly sensitive information including API keys, session tokens, cached authentication tokens, service account passwords, and user credentials. The exposure was identified by Neo Security, whose lead researcher found and partially downloaded the file, confirming the presence of critical secrets. The incident highlights the risks associated with cloud storage misconfigurations, where even brief exposures can be detected and exploited by automated scans. Upon being notified by Neo Security, EY responded promptly and professionally, acknowledging the issue and engaging in clear, technical communication with the researchers. The firm’s incident response was described as "textbook perfect," with the vulnerability triaged and fully remediated within a week. The case underscores the importance of mature security practices and rapid response in mitigating the impact of accidental data exposures, especially when large volumes of sensitive corporate data are at risk.
4 months ago