In total, two misconfigured ElasticSearch servers belonging to an unknown organization exposed 359,019,902 (359 million) records that were collected with the help of data analytics software developed by SnowPlow Analytics.
The IT security researchers at Website Planet have identified two exposed ElasticSearch servers belonging to an unnamed organization using open-source data analytics software developed by the London, England-based software vendor, SnowPlow Analytics.
This software allows companies to track and store information on their website (s) visitors apparently without their knowledge. It is worth noting that a web analytics tool can collect versatile data metrics. The data is then used for creating an extensive, detailed profile for site visitors.
Case of Misconfigured ElasticSearch Servers
According to researchers, both ElasticSearch servers didn’t have any encryption or user authentication measures in place meaning anyone could have accessed the data without the need for a password.
The unsecured, misconfigured servers eventually exposed 359,019,902 records, which equals around 579.4 GB of data. The exposed servers contained detailed logs of web user traffic, including the following.
- Referrer page
- Timestamp IP
- Geolocation data
- Web page visited
- User-agent data of website visitors
Details of Exposed Data
According to Website Planet’s blog post published last week, both servers contained user data for two months in 2021. The first server comprised data from September 2021 with 242,728,328 records or 389.7 GB of data collected between September 2nd, 2021, and October 1st, 2021.
The second server contained December 2021 data featuring 116,291,574 records or 189.7 GB of data collected between December 1st, 2021, and December 27th, 2021.
Fifteen Million Potentially Affected Users
The research team further noted that around 4 to 100 records of users appear on the two servers, and given that there are multiple logs for each user, this exposure might impact at least 15 million people.
It is worth noting that the exposed data can allow attackers to locate people using user profiles’ server logs and filter the users through their IP addresses. This means the disclosed information can let attackers obtain extensive details about every user’s digital trail like web browsing preferences and other activities.
Furthermore, the servers were live and actively updating new information at the time when they were discovered. However, neither ElasticSearch nor SnowPlow Analytics is responsible for this exposure because the company that owns the misconfigured servers is at fault.
The data exposure might have a far-reaching impact because users worldwide are affected by this exposure. However, it is unclear whether the servers were accessed by a third party with malicious intent or not.
Nevertheless, at the time of publishing this article, both exposed servers were secured after Website Planet sent alerts to concerned authorities.