[BreachExchange] SKY Brasil Exposes 32 Million Customer Records

[Destry Winant]

https://www.bleepingcomputer.com/news/security/sky-brasil-exposes-32-million-customer-records/

Data belonging to 32 million customers of SKY Brasil has been exposed
online long enough to make their theft very likely, an independent
security researcher discovered.

Fábio Castro found that the data cache could be reached by anyone that
knew where to look on the internet.

Personal info ready for the picking

Using the advanced features of the Shodan search engine, he was able
to discover multiple servers in Brazil running Elasticsearch that made
information available without authentication.

A cluster of servers called "digital-logs-prd" attracted the
researcher's attention and with a simple command, he listed the
indices available, one of them 429.1GB in size.

The file included personally identifiable information of SKY Brasil
customers, which featured full name, email address, service login
password, client IP address, payment methods, phone number, and street
address.

"The data the server stored was Full name, e-mail, password, pay-TV
package data (Sky Brazil), client ip addresses, personal addresses,
payment methods," Castro told BleepingComputer. "Among other
information the model of the device, serial numbers of the device that
is in the customer's home, and also the log files of the whole
platform."

SKY Brasil is a telecommunications company that also offers television
services, being the second largest provider of pay-TV services in the
country, according to statistics from March.

In a conversation with BleepingComputer, Castro said that he reported
his findings to the company who fixed the problem by restricting
access with a password, an operation that takes just a few minutes.

Because the server has been exposed for a long time, the protective
measure may have come too late. Castro told us that it is very
possible that criminals have already grabbed the data.

Bad habits die hard

According to the researcher, who is a customer of SKY Brasil and had
his info exposed, too, the data cache contained the home addresses and
phone numbers belonging to high-ranked politicians, such as governors,
and government employees.

Details like these are a boon for criminals. They can use it in
elaborate and difficult to detect social engineering attacks well-off
individuals.

Although protecting sensitive information against public access is
common sense security, misconfigured Elasticsearch servers are a
regular thing even for large corporations handling hundreds of
millions of records with personal data.

Cybercriminals have been taking advantage of data servers exposed
online for a long time. BleepingComputer reported in the past on
hackers hijacking insecure MongoDB, ElasticSearch, Hadoop, CouchDB,
Cassandra, and MySQL and holding them for ransom.