An unprotected Elasticsearch cluster found via a Shodan search exposed 37,900 records of Kool King Shop customers, a French online shop specifically tailored to be used by kids who bought Burger King menus.

As Security Discovery researcher Bob Diachenko discovered after further investigation, the data was leaked because the database storing it was misconfigured, allowing anyone with an Internet connection and the knowledge to find it to get to the records stored within.

Since the database was not secured in any way and publicly accessible, anyone who reached it could then edit, download, or even destroy the data without needing admin credentials.

Leaked database

As the researcher also unearthed, the databases contained plain text data which was left out in the open since at least April 24, according to Shodan historical data.

The 37,900 Kool King Shop member records contained personally identifiable information (PII) such as "emails, passwords (access to the portal), names, phones, DOB, voucher codes, links to the externally stored certificates, etc."

Besides finding the tens of thousands of leaked member records, Diachenko also discovered the CRM access details for 25 administrators part of the Burger King staff with emails, names, and encrypted passwords.

In addition, the data leak also included some extra information in the form of " e-commerce CRM backend logs, with internal details and debug information."

Sample record

Burger King statement

"I did not notice ransom notes in the database, fortunately, but that doesn't necessarily mean that it wasn't accessed by somebody else," said Diachenko when asked by BleepingComputer if there were any signs that the database was previously meddled with.

Following the researcher's responsible disclosure which, ironically, was sent to the leaked database's administrators' emails (since they were also included in the leaked data), Burger King immediately disabled access to the database and sent the following statement:

We would like to thank you for your responsible disclosure of a possible security vulnerability in our infrastructure on certain customers’ data. Data protection is critical to Burger King and we do take these matters very seriously. All the necessary actions legally required have been taken internally and with our service provider immediately after this incident came to our knowledge to ensure the effective resolution of the problem as well as the safety of our clients’ data. We are also liaising with the relevant national authority having jurisdiction in this respect. We wanted to keep you informed that the issue has been investigated and that such possible vulnerability is now corrected.

Leaked admin credentials

Unprotected ElasticSearch databases are becoming the norm

Since the start of 2019, publicly accessible ElasticSearch databases leaked over 108 million bets at various online casinos exposing the bettors' PII data, a few hundreds of thousands of sensitive legal documents "not designated for publication," and around 33 million profiles of Chinese people looking for a job.

Also, more than114 million records of US citizens and companies and over 32 millions records of SKY Brasil customers were also affected by data leaks caused by unsecured ElasticSearch databases in November 2018.

As ElasticSearch's developers detailed in back in December 2013, Elastisearch servers are ​​​​never to be exposed to the Internet seeing that they should only be accessed on the internal network.

Elastic also advises administrators to set passwords for the server's built-in users, to secure the ElasticSearch stack by implementing measures for "encrypting communications, role-based access control, IP filtering, and auditing," as well as to correctly configure the ElasticSearch installation prior to deployment.