The Elasticsearch server was left online without a password: 320 million records leaked
Hundreds of thousands of dating sites users' personal data were left exposed without any password. Security researchers from vpnMentor found the leaky Elasticsearch server at the end of August. This database was turned off after vpnMentor found its owner Mailfire and contacted the company on September 3. The vpnMentor wrote:
After investigating the server and compiling sufficient evidence to confirm Mailfire owned the exposed server, we reached out to the company and presented our findings. They acted immediately and secured the server within a few hours. Mailfire assumed full responsibility and insisted that the companies exposed were in no way responsible at all — and our research has also confirmed this to be true.
The massive data leak exposed users of more than 70 adult dating sites and e-commerce websites from different places in the world. All websites were using the same marketing software made by Mailfire, an email marketing company.
Since this server was insecure, a lot of people from around the world were exposed to such threats as blackmail, phishing scams, fraud, or identity theft. In total, people from more than 100 countries were affected, including Australia, Canada, France, UK, the USA, Russia, Japan, Belgium, Estonia, Germany, Israel, Singapore, etc.
Exposed database stored copies of push notifications for users
All adult dating sites and other websites were using Mailfire's service to send push notifications for users. This technology lets companies send real-time messages to users if they agreed to receive letters from them.
The exposed database stored more than 882 GB of log files that have been used for sending push notifications to users. These logs were updated regularly in real-time because the new notifications were sent to users. Thus, files' data of 66 million individual notifications were leaked.
According to reports, some e-commerce stores and classified ad networks from Africa were affected but the majority were dating sites and some of them were really fishy:
Upon further investigation, it turned out that some of the sites exposed in the data leak were scams, set up to trick men looking for dates with women in various parts of the world.
Anyone could access users' profiles on dating sites
These adult dating sites promised the opportunity to find a beautiful, young female partner in Eastern Asia, Eastern Europe, or other areas in the world. Most of them appeared to be a part of the larger network. Their letters were just spam, to lure users to come back to the dating site but users agreed to receive these notifications.
The leaky server stored not only copies of these notifications but also included personal information for the users. Sensitive data included names, gender, age information, email addresses, general geographical locations, and IP addresses.
Moreover, in these files, anyone could find links with authentication keys to the user's profile. It means that anyone with this specific link could access the user's profile without any password. So, in the past few weeks, anyone who found this insecure database could learn the identities of dating sites' users. Also, they could access their profiles: read private messages, see all information on the site, find old connections, etc.
According to researchers from vpnMendor, Mailfire could have easily avoided this massive data leak by securing servers, never leaving the system open to the internet without any password, and also by implementing proper access rules. Exposing such sensitive data online may result in blackmail attempts similar to Ashley Madison users' case. After the shameful data leak, some users have even committed suicide.