Data from an exposed LimeLeads Elasticsearch server has ended up on a hacking forum, being sold by a well-known individual on underground hacking forums named Omnichorus, who has build a reputation for sharing and selling hacked and stolen data.
A huge database of 49 million business contacts sold online on a underground hacking forum
* Data belongs to LimeLeads, a B2B leads company
* Company exposed an ES server from July to Sep 2019
* DB secured but hackers also got to the datahttps://t.co/dpZTlyZaxx pic.twitter.com/DXn7z9FBOX
— Catalin Cimpanu (@campuscodi) January 14, 2020
A missing password is a misconfiguration. It’s a mistake. Mistakes can be incredibly costly though and the truth is they’re quite easy to make when it comes to staying on top of the literally thousands of settings that can be so easily exploited and manipulated by threat actors.
This is exactly why proactive security measures like vulnerability assessment and desired state configuration are so important as part of a layered security program though.
Achieving the discipline to ensure even just the most critical configurations are set properly across every resource would drastically improve any organization’s security posture. The discipline is unfortunately the hardest part.
It’s a new breach, but not a new story. Once again, we see how a lack of proper security controls can result in massive data exposure. In this case, LimeLeads neglected to set up a password for an internal server, which would have prevented 49 million user records from being lifted and sold online. Most concerning, however, is the impact that this breach has on the companies and contacts that were part of that stolen data, who can now be targeted for spear-phishing attacks.
The takeaway from this, as well as from the many similar data exposure incidents, is clear: organizations must assess and continuously monitor the security of their own data—as well as the data used by their business partners—and be vigilant about how sensitive information is stored.”
Ever wonder why you may be seeing more spam and phishing emails popping up in your work-domain email? Data breaches and exposure incidents like this could be the reason. It’s easy to assume that ‘data in the cloud’ and ‘ElasticSearch’ databases are the reason for the data breaches; both have been found in other large-scale data breaches reported in 2018 and 2019. However, cloud and databases are infrastructure technologies, and applying truly effective data security goes beyond the act of turning on infrastructure security.
In this particular case, not only did this company fail to set up access security for the internal server that contained this data, the company also failed to encrypt or tokenize the data itself. Encryption and tokenization are actually more important than access security, because the data would be protected in a way that makes the data meaningless and worthless to a hacker or bad actor. The encrypted or tokenized data could not be listed for sale on the dark web because the data would be undecipherable.
The takeaway should be – “If you collect it, protect it.” Sensitive data should *not* be accessible by everyone, and, sensitive data should *not* be stored in its clear-text format no matter if it is in your secured network, in the cloud, or in databases.
In today’s global, data-centric landscape, database leaks continue to increase in frequency and in significance. Massive leaks have yet to slow down in the past two years and individuals’ personal information continues to be compromised from recurring breaches as critical security measures, such as passwords, are still yet to be deployed.
It only takes one cybercriminal to cause drastic damage as we have seen with the LimeLeads incident, impacting over 49 million user records. Unfortunately, the database left exposed for a period of two weeks was long enough for a cybercriminal to access the sensitive data. In any case, when there is detection of a breach, rapid incident response can mean the difference between a damaging data breach and quick containment. There must be advanced security tools in place that automate common investigation tasks and streamline remediation and response in order to halt a breach immediately and in real-time.
Organizations continue to miss the most basic security measure of properly password protecting critical assets. These types of embarrassing incidents, the effect of misconfigurations and poor cyber hygiene, are at the root of several recent leaks such as the Wyze data breach which leaked 2.4 million users’ data just last month.
Unfortunately, even though LimeLeads took immediate action to secure the exposed internal server and mitigate damage within 24 hours of being notified, the Elasticsearch misconfiguration was exploitable since July 2019, possibly even longer. This is another case of an ounce of prevention being worth a pound of cure. The fast response might win them some empathy, but the direct and reputational costs of exposing 50 million records will have a massive impact on the future of LimeLeads\’ business.