Security researchers at vpnMentor have issued a report revealing that business-to-business marketing company OneMoreLead was leaking the private data of up to 126 million U.S. citizens on a misconfigured ElasticSearch server.
OneMoreLead is a new company, offering corporate clients access to over 40 million business leads for their company, along with a host of related services and software tools.
The report indicates, as noted by Forbes, that 34GB of private and highly sensitive personally identifiable data including home address and phone number, email, home device IP address, work email and employer was listed, placing not just citizens at risk but also their employers considering many are still working remotely.
Data from members of the government and police are included, making this leak particularly lucrative for hackers if they are supported by a foreign rogue government.
Furthermore, the report notes that the information could be used to build effective phishing campaigns, posing as a person’s employer, the government, and other trusted organizations to trick targets into any of the following:
- Sharing additional data that could be used for identity theft and financial fraud (i.e., social security numbers, tax records).
- Providing credit card information or details about bank accounts.
- Clicking a link embedded with malicious software, such as ransomware, spyware, or
another form of virus.
vpnMentor researcher Noam Rotem explains to Digital Journal how this issue has come about: “By not securing this database, OneMoreLead exposed over 100 million American’s detailed personal information which could easily have been used to pursue financial fraud, identify theft or effective phishing campaigns.”
He warns: “Given the huge number of people exposed, cybercriminals would only need to successfully defraud or attack a tiny portion to be successful.”
There are other factors of concern too, says Rotem: “Added to which, it was not just individuals that were put at risk but also their employers as the type of information leaked meant there was a strong chance of business email compromise risk”
The issue does not stop with the private sector, notes Rotem: “Simultaneously, some government email addresses were found in the database. This can also be a gold-mine for criminal hackers who could use this data to infiltrate otherwise secure, high-level government agencies, resulting in major national security breaches.”
The current issue of concern is unlikely to be a rare event, Rotem explains: “Unfortunately, leaks of this nature are becoming more common. However, any leak like this could be easily avoided with some basic security measures taken including, securing servers, implementing proper access rule, and never leaving a system that doesn’t require authentication open to the Internet.”