Website databases contain a treasure trove of confidential information, including usernames, email addresses, phone numbers, and passwords (albeit encrypted passwords…hopefully). Such databases are a tempting target for cybercriminals who can hack into them to steal such information and then easily sell it to fellow criminals on the Dark Web. That’s why website databases should be as secure and protected as possible. But that’s not necessarily the reality.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
A report released Wednesday by password manager NordPass revealed a total of 9,517 unsecured databases with more than 10.4 billion entries for such data as emails, passwords, and phone numbers.
The research was conducted by NordPass with the aid of a white hat hacker who used certain online tools to scan for exposed and unprotected databases from June 2019 to June 2020. Once such databases were uncovered, the hacker was able to log into them to see what kind of data could be found and then shared his discoveries with NordPass.
Looking across 20 countries, China topped the list with more than 3,700 exposed databases and more than 2.6 billion entries. The US came in second with 2,703 unprotected databases and almost 2.4 billion entries made available online. And in third place was India with 520 unsecured databases and 4.8 billion individual entries.
With such unprotected databases, a cybercriminal doesn’t even need to employ full hacking skills. Virtually anyone can access these databases through publicly available websites and tools. Using search engines such as Censys or Shodan, someone can scan the web to view open databases. The hacker hired by NordPass scanned libraries from Elasticsearch and mongoDB to seek out exposed, unprotected databases. In cases where the database administrators failed to change the default logins, accessing the database would be a simple task.
“In fact, with proper equipment, you could easily scan the whole internet on your own in just 40 minutes,” Chad Hammond, security expert at NordPass, said in a press release.
Some of the accessible databases and the associated data discovered may be in place just for testing purposes, according to NordPass, in which case it would be useless to cybercriminals. But assuming at least some of the data is from actual customers or other users, exposing it would be damaging.
Citing a real-world example of a major database leak, NordPass pointed to the instance from early 2019 in which millions of Facebook records were exposed on a public Amazon cloud server.
In another case from 2019, an unprotected database stored on a Microsoft cloud server exposed the personal information of 80 million US households. The leaked data included addresses, income, and marital status.
And in a third incident, a US rehabilitation clinic suffered a data leak that exposed the personal data of almost 150,000 patients. In this breach, the data wasn’t obtained by any sophisticated hacking method; rather, it was just there in a public database waiting to be leaked.
Just this month, unsecured databases were hit by a “Meow” attack, already wiping out data from thousands of them. In these types of incidents, the attacker typically requests a ransom, but not with Meow.
“These kinds of attacks are very frequent,” Hammond said. “Usually, the attacker asks for ransom. This attack seems to be different only because the hackers deleted the data instead of asking for ransom. And while some of the affected databases only contained testing data, the Meow attack targeted some high-level victims, among which was one of the biggest payment platforms in Africa.”
To help organizations better protect and secure their website databases, Hammond offers several thoughts.
First, data security and protection should be a top priority. “Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data,” Hammond said.
Data can be exposed to risks both in transit and at rest and so needs protection in both states. Though different security approaches are available, encryption is a sound method and a popular way to secure data in transit and at rest. All data should be encrypted using trusted and robust algorithms instead of custom or random methods, Hammond stressed. Administrators should also select appropriate security key lengths to protect their systems from cyberattack.
Identity management is another important factor as it ensures that only the right people in an enterprise have access to certain resources such as a database. Further, businesses should have a security team on hand to take responsibility for vulnerability detection and management, Hammond said.
“Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management,” Hammond explained.