It has been a great week for hackers and would-be spearphishing professionals. Yesterday, ZDNet reported that Sky Brasil, a television subscription service, was breached, exposing details of 32 million subscribers. That same day, Bleeping Computer reported a separate story, revealing a massive leak of data from an unprotected server, amounting to 114 million records. In both cases, the cache of information included details of individuals, as well as businesses. The common denominator: Unprotected Elasticsearch servers.
Both exposed servers were indexed on Shodan, a search engine that scans the internet for connected devices and systems. Because of the way Shodan functions, cybercriminals can operate very efficiently, zeroing in on targets, based on certain criteria. Forbes writes, “Shodan results can be filtered to isolate specific services — in this case to pinpoint Elasticsearch servers that are sharing more information than they should be.”
In the case of SkyBrasil, the server had been exposed on the internet, without a password, for at least a week.
With the much larger data leak, it is unclear how long it was exposed. However, the Shodan search engine shows the database was indexed November 14. It is unclear at this point who owns the database. But as Bleeping Computer notes, it contained “All the good stuff for a proper scam…including sensitive details like full name, employer, job title, email and street address, ZIP code, phone number, and an IP address.”
In an article five years ago, Vice interviewed John Matherly, the search engine creator. Brushing aside the fact that most devices don’t use passwords, Matherly said, “And even the devices that do require authentication mostly use default credentials, so you just go on Shodan and you can search for the default password and access them as easily as that.”
California’s state bill 327 hopes to address that password issue by holding manufacturers responsible. However the legislation has been deemed far from perfect and it won’t even take effect until 2020.
That interview with Shodan’s creator was five years ago, and at the time, Vice and others were referring to Shodan as the world’s most dangerous search engine. In the world of cybersecurity, time flies. And unfortunately, time is on the hackers’ side.