Users of 70 different adult dating and e-commerce websites have had their personal information exposed, thanks to a misconfigured, publicly accessible Elasticsearch cloud server. In all, 320 million individual records were leaked online, researchers said.
All of the impacted websites have one thing in common: They all use marketing software from Mailfire, according to researchers at vpnMentor. The data kept on the server was connected to a notification tool used by Mailfire’s clients to market to their website users and, in the case of dating sites, notify website users of new messages from potential matches.
The data – totaling 882.1GB – comes from hundreds of thousands of individuals, vpnMentor noted; the affected people stretch across the globe, in more than 100 countries.
Interestingly, some of the impacted sites are scam sites, the company found, “set up to trick men looking for dates with women in various parts of the world.” The majority of the impacted sites are however legitimate, including a dating site for meeting Asian women; a premium international dating site targeting an older demographic; one for people who want to date Colombians; and other “niche” dating destinations.
The impacted data includes notification messages; personally identifiable information (PII); private messages; authentication tokens and links; and email content.
The PII includes full names; age and dates of birth; gender; email addresses; location data; IP addresses; profile pictures uploaded by users; and profile bio descriptions. But perhaps more alarming, the leak also exposed conversations between users on the dating sites as well as email content.
“These often revealed private and potentially embarrassing or compromising details of people’s personal lives and romantic or sexual interests,” vpnMentor researchers explained. “Furthermore, it was possible to view all the emails sent by the companies, including the emails regarding password reset. With these emails, malicious hackers could reset passwords, access accounts and take them over, locking out users and pursuing various acts of crime and fraud.”
Mailfire data at some point was indeed accessed by bad actors; the exposed server was the victim of a cyberattack campaign dubbed “Meow,” according to vpnMentor. In these attacks, cybercriminals are targeting unsecured Elasticsearch servers and wiping their data. By the time vpnMentor had discovered the exposed server, it had already been wiped once.
“At the beginning of our investigation, the server’s database was storing 882.1 GB of data from the previous four days, containing over 320 million records for 66 million individual notifications sent in just 96 hours,” according to a Monday blog posting. “This is an absolutely massive amount of data to be stored in the open, and it kept growing. Tens of millions of new records were uploaded to the server via new indices each day we were investigating it.”
An anonymous ethical hacker tipped vpnMentor off to the situation on Aug. 31, and it’s unclear how long the older, wiped information was exposed before that. Mailfire secured the database the same day that it was notified of the issue, on Sept. 3.
Cloud misconfigurations that lead to data leaks and breaches continue to plague the security landscape. Earlier in September, an estimated 100,000 customers of Razer, a purveyor of high-end gaming gear ranging from laptops to apparel, had their private info exposed via a misconfigured Elasticsearch server.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.