Data belonging to 32 million customers of SKY Brasil has been exposed online long enough to make their theft very likely, an independent security researcher discovered.
Fábio Castro found that the data cache could be reached by anyone that knew where to look on the internet.
32 million Sky Brasil customer data records were accessed on an Elastiscsearch server without any authentication. Sky is a Brazilian telecommunications company that offers satellite pay-TV and 4G broadband internet.@skybrasil @MayhemDayOne @troyhunt @felipepayao @malwrhunterteam pic.twitter.com/FcaAfZYckY
— Fábio Castro 🇧🇷 (@6IX7ine) November 28, 2018
Personal info ready for the picking
Using the advanced features of the Shodan search engine, he was able to discover multiple servers in Brazil running Elasticsearch that made information available without authentication.
A cluster of servers called “digital-logs-prd” attracted the researcher’s attention and with a simple command, he listed the indices available, one of them 429.1GB in size.
The file included personally identifiable information of SKY Brasil customers, which featured full name, email address, service login password, client IP address, payment methods, phone number, and street address.
“The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods,” Castro told BleepingComputer. “Among other information the model of the device, serial numbers of the device that is in the customer’s home, and also the log files of the whole platform.”
SKY Brasil is a telecommunications company that also offers television services, being the second largest provider of pay-TV services in the country, according to statistics from March.
In a conversation with BleepingComputer, Castro said that he reported his findings to the company who fixed the problem by restricting access with a password, an operation that takes just a few minutes.
Because the server has been exposed for a long time, the protective measure may have come too late. Castro told us that it is very possible that criminals have already grabbed the data.
Bad habits die hard
According to the researcher, who is a customer of SKY Brasil and had his info exposed, too, the data cache contained the home addresses and phone numbers belonging to high-ranked politicians, such as governors, and government employees.
Details like these are a boon for criminals. They can use it in elaborate and difficult to detect social engineering attacks well-off individuals.
Although protecting sensitive information against public access is common sense security, misconfigured Elasticsearch servers are a regular thing even for large corporations handling hundreds of millions of records with personal data.
Cybercriminals have been taking advantage of data servers exposed online for a long time. BleepingComputer reported in the past on hackers hijacking insecure MongoDB, ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL and holding them for ransom.