SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Almost 10,000 unsecured databases with more than 10 billion credentials exposed

Thu, 30th Jul 2020
FYI, this story is more than a year old

Researchers have detected almost 10,000 unsecured databases with more than 10 billion credentials exposed.

NordPass, the company behind the research, says the web is "swirling" with exposed databases.

Research has identified a total of 9,517 unsecured databases containing 10,463,315,645 entries with such data as emails, passwords, and phone numbers.

The databases were found across 20 different countries, with China being at the top of the list the country had nearly 4,000 exposed databases. This means that potentially more than 2.6 billion users could have had their accounts breached, NordPass says.

The United States comes second, with nearly 3,000 unsecured databases and almost 2.3 billion entries made available online.

India was third, with 520 unsecured databases and 4,878,723 entries.

According to NordPass, while some of this data might be useless and only used for testing, much of it could be damaging if exposed.

"Some of the largest data leaks of last year resulted from exposed databases," the company says.

For example, millions of Facebook records were exposed on a public Amazon server. In another incident, an unsecured database exposed information of 80 million US households.

The data included victims addresses, income, and marital status. A rehabilitation clinic in the US also suffered from a data leak, over which nearly 150,000 patients had their personal information exposed.

"The most worrying part is that this data was not leaked by a persevering hacker it was simply sitting there in a public database," NordPass says.

NordPass says that while the idea of searching for exposed databases may seem complex, the process itself is quite straightforward.

"Search engines like Censys or Shodan scan the web constantly and let anyone view open databases in just a few clicks. If the database managers used the default logins, getting into one would be a piece of cake," it says.

"In fact, with proper equipment, you could easily scan the whole internet on your own in just 40 minutes."

According to Chad Hammond, security expert at NordPass, unsecured databases have recently been hit by a Meow attack, which wiped clean thousands of them.

"These kinds of attacks are very frequent. Usually, the attacker asks for ransom. This attack seems to be different only because the hackers deleted the data instead of asking for ransom," he says.

NordPass estimates that 39% of all databases have already been hit by one of these ransomware attacks.

"The Meow attack against unsecured databases should only reinforce the need for proper data security," says Hammond.

"And while some of the affected databases only contained testing data, the Meow attack targeted some high-level victims, among which was one of the biggest payment platforms in Africa."

Hammond says data security and protection should be a top priority.

"Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data," he explains.

"Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management."

Hammond says data can be exposed to risks both in transit and at rest and therefore requires protection in both states.

"While there are several different approaches, encryption plays a major role in data protection and is a popular tool for securing data both in transit and at rest.

"Nevertheless, all data should be encrypted using trusted and robust algorithms instead of custom or random methods. It is also important to select appropriate key lengths to protect your system from attacks," he says.

Hammond says identity management is another important step and should be used to ensure that only the relevant people in an enterprise have access to technological resources.

"Finally, every company should have a local security team responsible for vulnerability management and able to detect any vulnerabilities early on," he adds.

As for the users, Hammond emphasised the importance of a strong password.

"The fact that we have more than 10 billion passwords up for grabs should only encourage people to think of strong, lengthy passwords," he says.

"If your password is 12345, no firewall in the world will protect your data. Your password shouldn't be a dictionary word either. An average person uses only about 20,000-30,000 words, so chances are that all of them are already among those 10 billion."

Follow us on: