Telegraph left 10 TB database with subscriber details unsecured

Telegraph newspaper exposed 10TB of database with subscriber details

Image:
Telegraph newspaper exposed 10TB of database with subscriber details

Data exposed included users' full names, email addresses, URL requests and authentication tokens

The Telegraph left 10 TB of subscriber data and server logs open to a breach after failing to properly secure one of its Elasticsearch cluster for several days.

The mistake was uncovered by security researcher Bob Diachenko, who found the unprotected dataset on 14 September 2021.

Diachenko said the cluster was freely accessible "without a password or any other authentication required to access it". At the time of his review, the personal details of at least 1,200 telegraph.[co].[uk] subscribers were accessible without a password. It included users' full names, email addresses, device details, IP addresses, URL requests, unique reader identifiers and authentication tokens.

As reported by BleepingComputer, the unprotected database also exposed a handful of gov.uk email addresses and a large number of internal server logs.

After identifying the owner of the unsecured database (The Telegraph), Diachenko immediately alerted the newspaper about the exposure.

On 16 September, Diachenko tweeted an alert message to draw the publication's attention to the unsecured database. A representative then acknowledged the incident and secured the database the same day.

According to Deiachenko, the database had been exposed online since 1st September and was probably open to attack for at least three weeks.

In a statement, The Telegraph noted that it became aware of the incident on 16 September and took immediate steps to secure the data.

"An investigation showed that only a small number of records were exposed - less than 0.1 per cent of our users and we have contacted all the users to advise them."

The investigation also concluded that while the data was exposed, it was not breached other than the discovery posted by the security researcher, according to the company.

Diachenko, however, warned that cyber criminals could use names and emails in the database to send targeted phishing messages to affected users. The leak of users' URL requests may also cause a privacy risk as malicious actors could use the information to recreate the users' browsing history on the news platform.

Unsecured Elasticsearch clusters are relatively common ways for sensitive data to be exposed to the wider world.

In 2019, an unsecured Elasticsearch database belonging to Honda Motor Company was found exposing sensitive information about the company's internal systems and device data.

The security researcher who found the unsecured database instance said it contained more than 134 million records with 40 GB worth of information related to Honda's global systems, as well as about the company's staff.

Last year, sports retailer Decathlon spilled a total of 123 million records - including completely unencrypted passwords - through an improperly secured AWS ElasticSearch database which contained ‘treasure trove' of employee data.