Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday November 23 2019, @06:35AM   Printer-friendly
from the what-does-the-GDPR-have-to-say-about-it? dept.

Absolutely humongous data breach exposes more than a billion records

Well, this is certainly not great: An unprotected database of more than a billion users' records from across the internet — including "social media accounts, email addresses, and phone numbers" — was discovered on an unidentified Elasticsearch server that could be accessed by anyone with the server's web address.

What's even weirder is, according to Bloomberg, no one is exactly sure how it got there.

The discovery was made in October by cybersecurity experts Bob Diachenko and Vinny Troia; the 4 terabytes of data they found also included Facebook, Twitter, and LinkedIn profile information. All told, the server contained information on four billion user accounts and 650 million unique email addresses, affecting 1.2 billion people.

As WIRED points out, though, it's important to keep in mind what the data does not include: things like passwords and credit card numbers. So at least there's that! Troia also told WIRED that the server is no longer online and that he reported its presence to the FBI.

While it's unknown how the data got to be on this server, there are a few things Troia was able to uncover. First, it seems like the data came from multiple datasets, some of it from data broker People Data Labs (PDL), which provides "data enrichment." (TL;DR: It provides data points on internet users so brands can create more specific content with which to target these users.)

Second, the server the information was found on did not belong to PDL. Troia reports that PDL "appears to use Amazon Web Services" for their servers, while the mystery data-laden server was residing — again, unprotected — on Google's Cloud Services. Neither the server or the data were controlled by Google.

[...] Troia and Sean Thorne, co-founder of People Data Labs (PDL), both indicated to WIRED that the data probably wasn't obtained via a breach of PDL, but may have been obtained legitimately by a customer who bought the data for data enrichment purposes and left it unprotected.

Said Thorne, "The owner of this server likely used one of our enrichment products, along with a number of other data enrichment or licensing services. Once a customer receives data from us, or any other data providers, the data is on their servers and the security is their responsibility."

[...] The scariest thing, as Troia points out, is that if this really is just gross mismanagement of legitimately obtained data, there's little to be done in terms of holding anyone accountable for the breach.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Flamebait) by Anonymous Coward on Saturday November 23 2019, @11:07AM

    by Anonymous Coward on Saturday November 23 2019, @11:07AM (#923774)

    One Billion Runaways, screaming out into cyberspace, where no one can hear you, but they might be able to find a photo [gstatic.com].

    Starting Score:    0  points
    Moderation   -1  
       Flamebait=1, Total=1
    Extra 'Flamebait' Modifier   0  

    Total Score:   -1