49 million unique email addresses of Straffic Marketing firm exposed online

The Israeli marketing firm Straffic accidentally exposed 49 million unique email addresses stored in an Elasticsearch database.

The Israeli marketing firm Straffic exposed 49 million unique email addresses due to mishandled credentials for an Elasticsearch database.

The credentials for the company archive were stored in plain text on an unprotected web server.

Straffic notified the incident to the impacted users, it added that the data leak was the result of a “security vulnerability” in one of its servers.

“Dear Straffic user, we would like to bring to your attention that we have been reported that a security vulnerability has been found on one of the servers we use to provide our services.” reads a notice published by the company.

“Following this report, we confirmed a weakness did exist and promptly patched it, in addition to fortifying our existing security protocols. As of now, all systems are secure and we did not find evidence of any data misuse or data loss.”

The exposed Elasticsearch database contained 140GB of contact details, including names, email addresses, phone numbers, physical addresses, and genders. While it was password protected, it appears that the credentials were not properly stored.

The credentials were left in plain text online and were discovered by a security researcher that goes online with the moniker 0m3n.

The expert decided to investigate the company after receiving unwanted marketing SMS messages for more than two years.

The expert discovered a configuration text file (.ENV) file that pointed to an AWS Elasticsearch instance.

“An .ENV file is typically used when testing an application in the Laravel PHP web framework. It should not make it in the git repo during the synchronization process and for this reason it is added to the ignore list (.gitignore).” reported BleepingComputer.

“Speaking to BleepingComputer, 0m3n said that the developers may have forgotten to add the .gitignore file and the configuration was synched to the web server.”

Clearly this case appears to be the result of a misconfiguration instead of a security vulnerability.

This incident is yet another example of an organisation siphoning up huge amounts of personal data with those in there (almost certainly) having no idea who the company is. Then leaving it all in a publicly accessible Elasticsearch instance https://t.co/44YxkCTQIq— Troy Hunt (@troyhunt) February 27, 2020The popular expert Troy Hunt, who runs the Have I Been Pwned data breach notification service, declared that 70% of the emails in Straffic’s database were already included in its archive.

Straffic announced that it has now secured its servers and that they are not aware of abuses of its data.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Straffic, data leak)

The post 49 million unique email addresses of Straffic Marketing firm exposed online appeared first on Security Affairs.