A popular Chinese mobile phone manufacturer collects this type of info from its devices and stores on a public server: IMEI, serial, cpu serial, fuzzy location with geo, device name/type, wifi mac and IP (if available).
Unprotected Elasticsearch cluster exposed personal data on millions of Iranian 🇮🇷 citizens, incl.:
- 46M+ Instagram accs+phones
- 1.2M+ Twitter accs +phones
- 180K+ Telegram accs+phones
+other info (cars, voters, sims, phones locations). Now cluster is destroyed. More info later
This could be the biggest collection of carefully collected and exposed personal data I've seen in India. 250M+ resumes, almost 1/5 of country's population left unattended. Name, address, employment history, DOB, skills, email, mobile/land ph, education, salary level. More later
Apparently, this is the TSC (Terrorist Screening Centre) dataset publicly exposed (tsc_id is the only clue), with 1.9M+ records. In any case, any thoughts as of where to responsibly report?
Raychat (@Raychat_io), popular Iranian business and social messenger, exposed its entire database (267M+ accounts w/ names, emails, passwords, metadata, encrypted chats etc.). DB is now destroyed by bot attack. No response from the company.
A totally random discovery (thanks to Trufflehog!) of tons of PII and non-public information on its way to the remediation thanks to you, my followers.
[NEW REPORT] 42 million Iranian “Telegram” user IDs and associated phone numbers leaked online. Data is on sale now on one of the hackers forums. This is how I found it: comparitech.com/blog/informa…
[BREACH ALERT] One of the largest EU-based virtual cards operator exposed its server, with 67M+ records, incl.:
- sender name/email/DOB/geo
- a card's message
- receiver's name/email/geo
- sender's IP
Database spans 2014-2022 (hence the size), includes FR/DE/ES/IT locales. 1/2
ICYMI: We found Trump's email server passwords in plain text and did not read his mails, because we are wearing white hats here. forbes.com/sites/leemathews/…
Breach alert: on Apr 7th 🇧🇷-based fintech IUGU exposed its entire database, incl. ALL customers and account details: emails, phones, addresses, invoices etc. IP with 1.7TB indexed by Shodan, I immediately alerted the company, db was taken down within an hour. No response.
[NEW REPORT] More details about a terrorist watchlist (TCS) containing 1.9 million records which I found online without a password - in my report: linkedin.com/pulse/americas-…
Received anonymous tip on another (?) Facebook data circulating in the darkweb: 2,377,841 records with UID / username / location / email. UIDs are incrementally sorted, from 100000000003XXX to 999998XXX. Is that part of 2018 breach?
[NEW REPORT] Argentina’s Ministry of Public Health exposed 115K+ patients details in a misconfig incident. When I found it, the database had already been infiltrated by a “meow bot”. More: comparitech.com/blog/informa…
Again, local assistance required to isolate HUGE exposure of PII docs! This time - Colombia 🇨🇴. EPS Sanitas, part of Keralty [@Keralty_EurAsia] int'l group, exposes MILLIONS of scanned insurance docs of Colombian citizens + passports. No response for weeks.
[NEW REPORT] The Independent, a UK-based newspaper, exposed one of its S3 repos (which apparently was designed to be public but contained other files), with subscribers info from 2014-2018, incl.: full name, address, password, DOB, phone, email, IP, geo, interests. etc. 1/2
Just came across a giant database with more than 202 Million Chinese CVs, with pretty much detailed info. - name, email, phones, genders, child counts, marriage status, politics stat (?) - and, of course, skills, work history etc. Any ideas where to report?
There is no such thing as 'free VPN'. In this case (Iranian?) product named Topvpn[.]cc (100k+ d/l on playmarket) accidentally exposed its logs with collected users data: user agents, IPs, ID+tokens w/expiration date, geo, referrers, etc.
Current developments on this as of Sep 27:
- I got in touch with AWS security team so they would contact the owner of the secret keys/buckets and get them rotated/secured;
- Apparently, someone responsible for the gov't portal IT maintenance was made aware of this "overlap" and cleaned up the configuration file (no secrets now);
- However, the "cleaned up" file in question STILL contains references to the external S3 bucket(s) which is STILL publicly listed and downloadable (of course, it contains PII);
- As soon as every issue is addressed, I will publish a report with the additional details.
This is getting ridiculous. Database is real-time updated and now +8GB in size. Do I have French-based researchers or local media reps to contact these guys directly on the ground? @troyhunt - will keep you updated soon
[SOON] One of the biggest job agencies in France leaking all their candidates info, including: social security cards (+scans), names, emails, physical addresses, mobile phones, job history, links to S3 buckets with info (access key+sign). More than 2M rec. No response. #GDPR
Looks like 'they' found a way to abuse Twitter API and get emails and/or phone numbers too (see my previous posts earlier today). It wasn't a surprise for Instagram and Telegram data but first time with @Twitter if I'm not mistaken.
Petco Mexico (@Petco) had a 'cyber security' incident as a result of MongoDB misconfig, with PII of its customers exposed in the wild for 24h+ at least. Order detail, phone, email, name : 3.8M+ records. Luckily, quickly addressed after my resp. disclosure. No comment though.
So, it took cyber criminals only 2 days to find and wipe out an unprotected MongoDB with almost 5 Million records of Mexican electronic invoices (CFDI), with a lot of PII involved. Data seemed to be managed by yet-unknown provider, with some big companies on board...
[SOON] One of the biggest job agencies in France leaking all their candidates info, including: social security cards (+scans), names, emails, physical addresses, mobile phones, job history, links to S3 buckets with info (access key+sign). More than 2M rec. No response. #GDPR
BravoVPN exposed IPs of its customers. 58M+ records. Most IPs come from Asia and Middle East regions. Each IP has a unique userID. No other sensitive information leaked, only IPs and userIDs (plus uptime). Is this a violation of privacy? Owners never replied to my emails.
These are the companies which had payroll invoices (4+ Million) compromised in the MongoDB leak in Mexico last week. Owner of DB is still unknown, but data is now wiped out, with a ransom note demanding 0.5BTC. Need your help to find out who was reponsible for making it public.
New Elasticsearch bot attack does not contain any ransom or threats, just 'meow' with a random set of numbers. It is quite fast and search&destroy new clusters pretty effectively
Iranian exposure: Bargheman(.)com- large "official portal for inquiry and payment of electricity bills of the electricity distribution companies" (site is only seen from IR-based IPs) leaks users PII (name/ID/mobile/email), partial CC, meters data. 484K+ records and updating r/t.
[NEW REPORT] Misconfigurations happen - no matter how big or secured a company is. Here is my new report. 250M+ million Microsoft's Customer Service and Support (CSS) records were exposed on the web. comparitech.com/blog/informa…
Insomnia Cookies [@insomniacookies] left almost all of their prod credentials exposed via publicly accessible dot-env file on one of its IPs (indexed by all IoT search engines). Silently secured after responsible disclosure, no response.
[NEW REPORT] Almost all Panama citizens data should have exposed in this data breach (still to be confirmed), read my short report here: securitydiscovery.com/panama…
One of the biggest CIS-based online casinos exposed its entire prod env via passwordless 580GB+ MongoDB for months. Looks like all of its millions-sized userbase info was there: names/phones/emails/DOB/location/IP/partial payment info etc. + internal passwords/tokens. Now secured
Did you know that Whirlpool scans your IoT appliances every hour and collects data such as email, SAID, model name and number etc? I found their exposed MongoDB with this data and responsibly disclosed it. Report coming up today.
We set up Elasticsearch honeypot and watched it destroyed. Over three dozen attacks occurred before the database was even indexed by search engines like Shodan / BinaryEdge: comparitech.com/blog/informa…
I must say I really enjoyed my conversations with different reps of @Razer support team via email for the last couple of week, but it did not bring us closer to securing the data breach in their systems.
Thank you all for the support - I am expecting to hear more from potentially affected company very soon and will update the story / publish report as soon as I have final info.
I am from Ukraine and Hackerone not sending bounties here as well (they owe me like 3k usd since Feb). I guess they simply disabled payouts to the entire country, no matter if it is occupied or not. Right @Hacker0x01 ?
Finally we will have some sleep today. It's been 2 days when we woke up after Russia bombed Kyiv but feels like an entire life. Had to leave our cat to friendly people in Lviv. Stand with Ukraine. These are Putin's last days.
[NEW REPORT] 800+ Million emails/IPs/names/addresses/DOBs leaked online by email verification service - and this is just a tip of an iceberg. Read more here: securitydiscovery.com/800-mi…
[BREACH ALERT] On July 20th, a huge dataset of popular social media influencers data points was accidentally exposed/indexed. Apparently part of Campaygn (an influencers marketing firm). In total, 9 nodes were exposed. Total count of records: 231M+. Now secured, no response. 1/
[NEW REPORT] 267 million Facebook users IDs and phone numbers exposed online. This looks like another exposure, not similar to the previously reported in Sept. More here: comparitech.com/blog/informa…
Mexican #breachalert: 21,419,493 records, incl.: RFC (tax ID), name, phone, address, full credit card number (!), credit line amount. All exposed via unprotected anonymous ES cluster end of Aug. Now taken down. Source of data is yet unknown.
[UFO VPN STORY UPDATE] After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address - all of the records destroyed now by a new “Meow” bot attack.
[NEW REPORT] Here is my short take on what happened. Call me old-fashioned but I would prefer to have an Internet-disconnected dishwasher these days securitydiscovery.com/whirlp…
Indonesia anyone? 🇮🇩 Thousands of highly sensitive airforce stuff clearance documents exposed online, incl. passport scans, PII etc of accredited personnel from around the world, e.g. Lockheed Martin people.
Redline Stealer malware logs with more than 6M records were exposed online, publicly (now taken down). Internationally sourced data, exfiltrated in Sept and Aug 2021. RS is the key source of identity data sold on online criminal forums since its initial release in early 2020.
A global hospitality industry SaaS operator exposed its database with almost 5M reservations details, incl. names, DOBs, VIP status, PmsID, Passport Nos and emails of guests of big chain hotels wwide. First seen on Shodan on Feb 11, db is now quietly secured. More to follow
Officially: starting today, I have joined @Hacken_io team and will be assisting them to develop/deploy security services and, of course, spread knowledge and cyber hygiene rules all around the globe with my reports and investigations. Stay tuned!
yet another giant email/name/phone/IP collection database used by a direct marketing company - 22 million records. Quick check of some emails on @troyhunt@haveibeenpwned did not show any previous breaches..
[NEW REPORT] More than 259M patients records exposed as a result of Elasticsearch misconfig incident in Indian cloud hospital management system called eHospital. It was launched 2015 as one of the government initiatives to digitise governance in the country. Now secured. 1/2
OK, Twitter - now I need follwers from Brazil to alert local business on leaky database. HBook, part of @hsystemtec exposed half of million of booking requests, credit card info, passwords, profile details etc. No response yet.
Security team at @ClaroVideo - please respond to my email, there is a configuration issue with one of your servers, exposing customers data (email, username, ID, pwd hash etc): @ClarovideoCO / @ClaroVideoPE / @ClaroVideoBr and other.
An Iranian server (Telegram clone app?) hosted dataset with 10M Israeli citizens info, presumably part of larger Truecaller leak (which they never confirmed). Data included: phone, name, email, TC photo link, Whatsapp status/avatar etc. Now taken down.
Someone left exposed private keys/transfer IPs/balances details for a number of 1400+ high-profiled BTC wallets (e.g. each one with 7-9k BTC). Most marked as 'active'. 🧐
Another #Instagram related data breach - almost 3M records exposed, with UID/username and emails. Can't recall when emails were part of similar things, @zackwhittaker ?
Since Fri I've been trying to get in touch with someone from ActMobile [@ActMobile] to responsibly alert that their VPN userbase (45M+) info (email, pwd, IPs, devices etc) is exposed to public but no luck. Incl. but not limited to @DashVPN, FreeVPN.org. Anyone?
OK, I know that @fs0c131y has all-Indian attention now, but an Indian data collector company is exposing half a million of detailed records of Delhi citizens and not responding to alerts.
I would like to publicly thank Meta/Facebook. For the last couple of months I reported 3 (three) Facebook databases to @Meta scraping bug bounty program; and was awarded totally 23,200 USD which are aimed for GlobalGiving’s Ukraine Crisis Relief Fund. 🇺🇦🇺🇦🇺🇦
I'm sure many people saw this when it was up: 11,651,162 enriched Instagram profiles; 81,551,567 Facebook; 66,117,839 LinkedIn. All IG data w/emails, phones. According to some indirect proofs, this data was gathered by a Chinese-based marketing company, SocialArks.
Unprotected Elasticsearch cluster exposed personal data on millions of Iranian 🇮🇷 citizens, incl.:
- 46M+ Instagram accs+phones
- 1.2M+ Twitter accs +phones
- 180K+ Telegram accs+phones
+other info (cars, voters, sims, phones locations). Now cluster is destroyed. More info later
Hi @CSDThailand - there is a huge passwordless repository exposed with PII of "aliens" and TH-citizens who entered the country + more sensitive info, please respond to my email or provide a valid contact to report (I was able to find my passport, too!). @ThaiCERT informed.
Found a database with 50M users' scraped LinkedIn data, owner unknown. Data fields include emails, names, professional info, company info, skills, location etc. Mysterious 'talent_iq' and 'force' categories - any ideas where that might come from?
After @zackwhittaker covered EE leak, I ran a couple of queries on Sonarqube. Shocked to see more than 3K+ instances available, with roughly 30-40% of them set without auth, and almost half of those containing source code with prod data. Big names involved, another area to cover.
I'm from Ukraine too. Recently received answer from HackerOne that Ukraine is under the sanctions of the USA. This statement is false. Because sanctions were imposed against the countries aggressors (Russian Federation, Belarus).
Yamaha Music AU [@yamahamusicau] secured data exposure via index dir. after my alert w/o any notice. Data was searchable at least for a month. Apart from 'live database' and all types of configs, orders were public: name, email, phone, SKU and address (ca.2k cust. from 2021).
Do I have followers from Sweden ready to assist in responsible disclosure? Trying to email/call the company but have only voicemail in Swedish. Children tracking and monitoring platform left all their digital keys online (db passwords, admin creds, AWS key, API secrets etc etc)
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine.