4 billion user accounts exposed on password-free server

Leaked passwords - Featured image

A data breach disclosing personal information associated with billions of social media and other accounts has been discovered by security researchers at Data Viper.

The numbers are chilling:

  • Data files containing stolen personal information: 1
  • Terabytes of stolen personal information in the file: 4
  • Social media and other user accounts compromised: 4 billion
  • Individual users whose data is disclosed in the file: 1.2 billion
  • Passwords required to access or download the file: 0

On October 16, Data Viper’s Bob Diachenko and Vinny Troia discovered an Elasticsearch server that contained 4 terabytes of stolen data. The data consists of personal data – including names, email addresses, phone numbers, and profile information from LinkedIn and Facebook – for more than 1.2 billion people.

The server was accessible without any need of authentication, and it contained as many as 622 million unique email addresses, plus data from Facebook, LinkedIn, Twitter, and Github. Taken together, the profiles give a 360-degree view of an individual, along with insights about their employment and education histories. 

The Elasticsearch server was accessible via web browser and no password was needed to access or download all of the data. According to Troia, the information seems to have come from the files of two data enrichment companies. Such companies offer clients comprehensive user profiles based on a single piece of information like name or email address. They use Big Data mining techniques to inform clients about their targets’ finances, income, political and religious preferences, and preferred social activities.  

Data Viper believes most of the data comes from People Data Labs, while the LinkedIn data seems to be from OxyData.

Microsoft regional director Troy Hunt conducted his own research on the subject, concluding that the individual or group responsible for compiling the data paid for it and accessed it using data enrichment company APIs rather than stealing it in a data breach. 

“Being able to access not only email addresses but phone numbers and social media profiles of hundreds of millions of people makes a phishing expedition or an attempt to otherwise find, profile and compromise high-value targets — individuals or organisations — that much easier,” Hunt said. “The vast amount of data in the repository contained enough intelligence and detail to launch a well-targeted campaign which would allow a motivated group or individuals to obtain access, credentials and other highly valued information.”