Honda's unsecured database exposes 134 million documents with 40GB worth of information

An unsecured Elasticsearch database belonging to Honda Motor Company was found exposing sensitive information about the company ' s internal systems and device data.

Justin Paine, the security researcher who found the unsecured database instance earlier this month, said it contained more than 134 million records with 40GB worth of information related to Honda ' s global systems, as well as about the company's staff.

"The information available in the database appeared to be something like an inventory of all Honda internal machines," Paine said in an online post.

"This included information such as machine hostname, MAC address, internal IP, operating system version, which patches had been applied, and the status of Honda's endpoint security software," he added.

According to Paine, he was actually searching Shodan when he found Honda's publically accessible ElasticSearch database without any authentication. The exposed database was leaking information on an endpoint security vendor responsible for protecting Honda's machines from attacks, Paine said.

It also provided information about which machines had up-to-date endpoint security software installed, which machines were running older OS, and which machines were without endpoint security enabled.

The leaky database could have provided criminals with an easy map for discovering the soft spots in Honda's network security

Paine says the leaky database could have provided criminals with an easy map for discovering the "soft spots" in Honda's network security.

Apart from leaking sensitive system information, Paine also found a dataset revealing employees' details, such as their names, email addresses, department, account names, last login, and employee numbers.

Another dataset provided details about the CEO's email address, employee ID, account name, last login date, etc.

The unsecured database was found on 4th July, and Paine informed the company on 6th July.

Honda secured the database within the next 10 hours, and also thanked Paine for his timely advice. The company said it didn't find any evidence of the database being downloaded by third parties. It also stated that it will take appropriate measures to prevent occurrence of such incidents in the future.

This is, however, not the first instance of a database leak exposing sensitive information about companies or people in public domain - indeed, it has become an all-too-common occurrence.

Earlier this week, Capital One disclosed the loss of records about 106 million customers in the US and Canada, leaked from an S3 bucket protected by a misconfigured firewall. A former Amazon Web Services engineer was arrested and charged in connection with the data breach.

Last month, two databases lying unprotected on the internet leaked records of more than 90 million people and businesses in China.

Earlier in March, an unsecured database in China leaked the personal information on more than 1.8 million women, also revealing their "BreedReady" status.

And also in March, 18 MongoDB databases in China were found to be exposing personal details of millions of accounts on six social platforms in the country.