Unprotected Elasticsearch Service Exposed 185 Mn+ Facebook Profiles Details (No passwords!)

Monitoring for unprotected elastic search service is something Cyble’s automated platform does all the time (fully automated). We have identified over 50,000 exposed elastic search servers in the last few weeks having 100s of TB of data. For most of it, it’s not something we find exciting for us, or for our customers or our 10,000+ AmIbreached.com registered users.

However, in certain instances, we come across something which requires human intervention for analysis. This was on March 27, 2020, where we found an Elastic search service which had over 300 million records from different platforms, and a majority of them belonged to Facebook, i.e. 185 million+ Facebook profile with the following fields.

”_id”,”education.last_education”,”age_range”,age,ethnic,gender,”income.level”,”income.value”,name,relationship,religion,”business_and_economy”,”last_education”,”hobby_and_interest”,”government_election_politics”,”event_and_plans” ,education,”conflict_and_attact”,”list_fanpage_keywords”,”list_fanpage_ids”,”length_of_work”,”last_education.school_name”,”last_education.education_type”,work,versioning,society,”social_scoring”,”religion_interest”, “email”, “phone”, “political_tendency”,personality,organization,”news_and_information”,”location_profile.flag”,”location_predict”,”location_group”,”location_final”,”location_default”,”list_group_keywords”,lifestyle,id,figure and many other fields.

The only good thing here is — There were no Facebook account passwords.

However, we were surprised at how they managed to collect such detailed information, perhaps scrapping, hooked to a crappy third party app API, purchased data from a broker or some combination of issues. The data collected was quite invasive and troubling.

Searching for terms such as Singapore, gave us the following results —

And the search went on, so we decided to look into more details such as what other indices are there, and there were quite a few! Here is the complete list

As you’d notice, the system is designed to collect data points from a variety of data points, including Facebook, Telegram, Twitter, flights, etc., and it was actively collecting information. So this wasn’t just Facebook profile but actively collecting information on an almost real-time basis from other platforms.

So we decided to contact the owners of the companies on the following day, i.e. March 29, however, to date, no response has been received.

This is an interesting case where we came across an unprotected elastic search server on the Internet belonging to a Strategic Intelligence Company, Indonesia Indicator, who not only left their system with sensitive information exposed and unprotected but also inadvertently highlighted the system of invasive personal information collection.

The vulnerable system is still live, unfortunately!

People who are concerned about their online privacy or interested to learn about their exposure can sign-up at Cyble’s data breach monitoring platform, AmIbreached.com

About Cyble:

Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.

Cyble strives to be a reliable partner/facilitator to its clients allowing them with unprecedented security scoring of suppliers through cyber intelligence sourced from open and closed channels such as OSINT, the dark web and deep web monitoring and passive scanning of internet presence. Furthermore, the intelligence clubbed with machine learning capabilities fused with human analysis also allows clients to gain real-time cyber threat intel and help build better and stronger resilience to cyber breaches and hacks. Due to the nature of the collected data, the company also offer threat intelligence capabilities out-of-box to their subscribers.