Governance & Risk Management , IT Risk Management , Privacy

Israeli Marketing Company Exposes Contacts Database

Data includes Names, Addresses, Email Addresses, Phone Numbers

An Israeli marketing company left authentication credentials for an Elasticsearch database online, exposing more than 140 GB worth of contact details for individuals in the U.S. and Europe.

See Also: Risk-Based Vulnerability Management: The Best Way to Prioritize

The exposed data includes names, email addresses, phone numbers, physical addresses and genders, but not all records have those fields completed, according to a sample seen by Information Security Media Group.

A sample record from Straffic's contacts database

The discovery of the exposure stemmed from a U.S.-based security specialist who became frustrated after receiving unwanted marketing messages over SMS for more than two years and decided to investigate.

The owner of the data is Straffic.io, which describes itself as a "private performance marketing network." According to its Facebook page, the company was founded in June 2017.

On Wednesday, Straffic CEO Ohad Betzaig acknowledged the database belonged to his company. The company posted a notification on its website saying that it confirmed a weakness and that it had been "patched."

"Following this report, we confirmed a weakness did exist and promptly patched it, in addition to fortifying our existing security protocols," Straffic says. "As of now, all systems are secure, and we did not find evidence of any data misuse or data loss. We continue to investigate and will notify if we find evidence to the contrary. Although we do our very best to protect the security of our service and deeply regret such a vulnerability has been found on our service, it is impossible to create a totally immune system, and these things can occur."

Troy Hunt, a data breach expert and creator of the Have I Been Pwned data breach notification site, says Straffic's notification "has to be one of the worst disclosure notices I've seen."

Hunt adds: "It offers nothing of substance regarding what data was exposed, when the vulnerability was introduced, when it was fixed, how many people were impacted and indeed if they're even being notified. Then there's the comment that 'it is impossible to create a totally immune system', which appears to serve no purpose than attempting to excuse their failure to secure the system."

Leaked Credentials

Elasticsearch is a storage and querying platform that's popular for handling log data and enabling fast search features. But computer security researchers regularly find databases that have been configured incorrectly and left open on the internet without authentication (see: Microsoft Error Exposed 250 Million Elasticsearch Records).

That's not what happened in Straffic.io's case, however. Instead, Staffic's Elasticsearch cluster was indeed password protected. But the credentials were left in a plain-text file on a random domain that is now offline.

Those credentials were found by a San Diego-based DevOps engineer who goes by the Twitter handle 0m3n.

An example of an SMS marketing message received by 0m3n

"I have been getting spam text messages for the past two years from random phone numbers with similar messages containing links to gibberish domains," he tells ISMG. "I decided to take a look at one and found a .env file on the webserver of one of the domains in said messages which was a config file that pointed to an AWS Elasticsearch instance."

The credentials unlocked the database, which contained two indexes containing people's contact details, collectively amounting to more than 140 GB of data. It also contained Laravel logs for one of Straffic.io's applications. Laravel logs are created for applications that are written using the Laravel framework.

"It's a huge amount of data," Hunt says.

Broader Notification?

ISMG reached out to Straffic and filed a report with Amazon Web Services. On Feb. 20, AWS told ISMG that the database had been secured.

Hunt, who has analyzed the data, says it contains 49 million unique email addresses, 70 percent of which have been entered into Have I Been Pwned before. He extracts email addresses from data breaches, and once he enters those into Have I Been Pwned, emails are sent to those who have signed up with the service letting them know their data was in a breach or exposure.

In some countries or jurisdictions, the data that was exposed could qualify as a reportable data breach. The data set contains tens of thousands of email addresses from the Netherlands, Belgium, France, Spain, Germany and other EU member states. Those users would be covered by the General Data Protection Regulation.

Under GDPR, organizations can be fined 20 million euros or 4 percent of annual global revenue, whichever is greater, for violations. GDPR requires organizations to report an incident within 72 hours. It wasn't immediately clear whether Straffic.io planned to notify regulators in Europe or the U.S.

It's also unclear how Straffic obtained so much personal contact data. But privacy experts have pointed out that the transfer or sale of personal data to other parties who then either lose or misplace it poses risks to consumers.

Hunt says there are so many data aggregators now that it's impossible for people to know which organizations have their their data.

"Time and time again. we seen incidents like this with organizations we've never heard of, yet somehow, they have hundreds of millions of records which they've now leaked to an unknown number of parties," he says.