Upon being alerted by security researcher Anurag Sen, the company rubbished the sensitivity of the matter by labeling the exposed database as “an insignificant one.”
Anurag Sen, a prominent IT security researcher has shared exclusive information with Hackread.com revealing that Sydney, Australia-based trading company ACY Securities (acy.com) exposed a massive trove of personal and financial data of unsuspected users and businesses online for public access.
Another day, another misconfigured database
It happened due to a misconfigured database owned by ACY Securities. The worse part of the data leak is the fact that it contained over 60GB worth of data that was left exposed without any security authentication. This means anyone with a slight bit of knowledge about finding unsecured databases on Shodan and other such platforms would have complete access to ACY’s data which contained logs from February 2020 while being updated with the latest data set every second.
As seen by Hackread.com, the exposed database hosted the following user data:
- Full name
- Postcode
- Full address
- Date of birth
- Name of city
- Gender details
- Email address
- Phone Number
- Hashed password
- Trading-related information like business details and more.
List of countries where most users and businesses were impacted:
- India
- China
- Spain
- Brazil
- Russia
- Australia
- Romania
- Malaysia
- Indonesia
- United States
- United Kingdom
- United Arab Emirates and many more.
No Value to Sensitive Nature of Data
Anurag told Hackread.com that he reached out to ACY multiple times last week with necessary proof however it took the company a couple of days to understand and address the issue. An ACY representative replied to the researcher by labeling the exposed server as an “insignificant one.”
“They officially emailed me stating that ” Thank you for mentioning this, the below server is an insignificant one” – “I am really not happy with the reply. They are considering personal details of registered users including hashed password, email address, physical address, full name, and mobile number – insignificant.”
Anurag told Hackread.com
Nevertheless, at the time of publishing this article, the exposed database was secured and its IP addresses were no longer accessible to the public.
Potential Dangers
The severity of misconfigured and exposed databases can be quantified by the fact that earlier this year, Anonymous and its affiliate group of hackers compromised around 90% of Russian cloud databases that were exposed to the public without any security authentication or password.
In ACY’s case, considering the extent and nature of exposed data, the incident could have far-reaching implications. Such as bad actors could download the data and carry out identity theft, phishing scams, scam marketing campaigns, and microloans identity fraud.
Misconfigured Databases – Threat to Privacy
Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. In 2021, the number increased to 399,200 exposed databases.
More Elasticsearch database Mess Ups
- 9,517 unsecured databases identified with 10 billion records globally
- New malware attack turns Elasticsearch databases into DDoS botnet
- Stripchat database mess up exposes 200M adult cam models, users’ data
- US and China Exposed Most Databases Among 308,000 Discovered in 2021
- Misconfigured ElasticSearch Servers Exposed 579GB of Users’ Website Activity