[BreachExchange] French daily Le Figaro database exposes users’ personal info

[Destry Winant]

https://www.bleepingcomputer.com/news/security/french-daily-le-figaro-database-exposes-users-personal-info/

French daily newspaper Le Figaro exposed roughly 7.4 billion records
containing personally identifiable information (PII) of reporters and
employees, as well as of at least 42,000 users.

The data was exposed by an unsecured database owned by Le Figaro and
containing over 8TB of data which was publicly accessible because of a
misconfigured Elasticsearch server.


Le Figaro's site is the most visited news site in France with an
audience of more than 23 million monthly unique visitors according to
stats provided by Médiamétrie / NetRatings.

Out in the open since February 2020

The database discovered by a Safety Detectives team lead by security
researcher Anurag Sen contained records with info on newly registered
new accounts between February and April 2020, as well as records of
pre-existing user accounts that were logging in during that period.

For pre-existing users, the database was only leaking PII data, while
in the case of new records login credentials were also left out in the
open for anyone to collect.

Based on the researchers' findings, the PII data exposed included
emails, full names, home addresses including countries of residence
and ZIP codes, passwords in plain text hashed using MD5, as well as IP
addresses and tokens used for access to internal servers.

All this information was stored in Le Figaro's database in the form of
API logs of the newspaper's mobile and desktop websites.

Example of leaked Le Figaro user record (Safety Detectives)

While the database's structure made it hard to estimate the exact
number of users, journalists, and employees whose data was exposed,
the researchers estimated that at least 42,000 records were exposed by
this leaky Elasticsearch server.

Network technical info also exposed

Besides the API logs containing PII data, the database also contained
a lot of technical logs with information on Le Figaro's backend
servers and other info that could make it easier for a threat actor
who would've obtained the info to launch a successful attack against
the newspaper.

These included potential access to admin accounts, communication
protocols, SQL query errors, and logs of network traffic between
multiple Le Figaro servers.

To confirm that the database was indeed owned by the French newspaper,
the researchers created a test user account on Le Figaro which later
showed up within the API logs as a newly created user.

"Finally, and most worrisome of all, the database was completely
exposed to the public – with no password required to access it," they
explain. "Anyone with the knowledge of the database’s IP address could
have gained access."

The data exposed by this misconfigured Elasticsearch cluster could be
used by attackers for identity theft and fraud, for credential
phishing attacks on other sites, to launch very convincing
spear-phishing attacks against Le Figaro's users, journalists, and
employees, and as a starting point for a cyberattack on Le Figaro's
network and backend servers.

Securing ElasticSearch clusters

Although Elastic Stack's core security features are now free since May
2019 as announced by Elastic NV, publicly-accessible, misconfigured
and unsecured ElasticSearch servers are regularly being spotted by
security researchers who scour the web for unprotected databases.

While Elastisearch servers should only be accessible on a company's
local network so that only the database's owners can access them as
explained by ElasticSearch's dev team back in December 2013, this
rarely happens.

Elastic NV recommends database admins to secure their ElasticSearch
stack by "encrypting communications, role-based access control, IP
filtering, and auditing," by setting up passwords for built-in users,
and by properly configuring the clusters before deployment.