As well as exposing data about its own staff, the leading French daily has also exposed least information relating to some 42,000 users, as Bleeping Computer has reported. The breach is significant in terms of news media. Le Figaro’s site is the most visited news site in France with an audience of more than 23 million monthly unique visitors.
The data exposed by this misconfigure could be used by fraudsters for identity theft and fraud, for credential phishing attacks. Due to the fact that there were no passwords on the server, the data was available to anyone who wanted to access it.
The repercussions of this breach are beyond the initial exposure, according to Jumio CEO Robert Prigge, who provides comment for Digital Journal.
According to Prigge: “The 7.4 billion personal records exposed by Le Figaro are certain to make it onto the dark web where they will be bought and sold for profit and combined with other available information to create a “fullz,” giving fraudsters everything they need to commit automated account takeover fraud.”
The significance of this, Prigge explains is that: “Cybercriminals can then use this data to access anything from bank accounts to social media apps, which are often used to unlock even more personal accounts. People frequently use the same password across accounts, making it even simpler for fraudsters to execute credential stuffing and access as many user accounts as possible with the same exposed password.”
In terms of the significant lessons to learn from this incident, Prigge notes: “While the database was not secured with a password, organizations should not be relying on passwords to keep personal records secure. Leveraging biometric authentication (using a person’s unique human traits to confirm identity) is a more secure way to confirm only an account owner can access their data.”