The data was exposed due to an unprotected Elasticsearch cluster and remained open to public access without any security authentication.
Well-known security researcher Bob Diachenko discovered a ‘Giant’ blunder made by UK media outlet The Telegraph after it exposed 10 terabytes of subscribers’ data.
According to Diachenko, the trove of records included subscriber information and server logs, while the data was exposed due to an unsecured Elasticsearch cluster, which remained unprotected throughout September, and was freely accessible without any authentication or password required to access it.
It is worth noting that The Telegraph is one of the UK’s largest online media and newspapers outlets. The database was discovered on 14 September 2021.
How did The Leak happen?
According to the researcher, while most of the data was encrypted, personal details of around 1,200 subscribers/registrants of the media outlet were in clear text format, and a massive collection of internal server logs was also unprotected.
Diachenko notified The Telegraph about the leak the same day it was discovered, but he didn’t receive any response, so two days later, on 16 September 2021, he shared the news on Twitter.
“First Beeline, now http://Telegraph.co.uk [@Telegraph] … 10+Tb of data exposed, incl. subscribers info (email, name, IP, device info, tokens). Please reply asap. Emails have been sent,” posted Diachenko.
After the tweet, the database was secured by the news outlet’s security team. Bob also posted some screenshots of the unsecured database.
Leaked Data Includes…..
The subscriber data exposed in this leak include full names, device information, email IDs (some @govt.uk), IP addresses, URL requests, unique reader identifiers, and authentication tokens. Moreover, the leaked database contained passwords of Apple news registrants or subscribers.
Diachenko noted that the data was probably left unprotected for three weeks and was accessible online since 1 September.
In a blog post, Diachenko explained that,
“We do not know if any unauthorized parties accessed it during that time, but our honeypot experiments show attackers can find and steal data from unprotected databases in just a few hours after they’re exposed. – The data was generated from an internal logging server for *The Telegraph*.co.UK website.”
Experts suggest impacted users should immediately reset the password and watch out for unsolicited messages asking them to click on certain links or open attachments.
In response to Bob Diachenko’s notification, The Telegraph sent him a statement, which read:
“We became aware of this discovery on 16 September and took immediate action to secure the data. An investigation showed that only a small number of records were exposed – less than 0.1% of our users and we have contacted all the users to advise them. The investigation also concluded that whilst the data was exposed, it was not breached other than the discovery posted by the researcher.”