Lead generation company, Leadhunter, has exposed and lost over 110 million records due to an unsecured database.
Discovered by security researcher Bob Diachenko on January 30, 2020, an Elasticsearch cluster had been set without any authorisation resulting in it being quickly indexed by all kind of search engines.
It wasn’t until March 4 that a threat actor had attacked the misconfigured database and destroyed/stole the data.
“This is quite a new approach to data security taken by malicious actors comparing to their previous ransom demands for getting data back,” said Diachenko.
The data in the database included full names, addresses, emails, gender, IP addresses and phone numbers.
Altogether 110,378,874 records were exposed.
Upon discovering the database, Diachenko immediately sent an alert to the German-based company, however no response was received until now.
Although the data was collected from public sources, “such large structured collection of data would pose a clear risk to people whose data was exposed. An identity thief or phishing actor couldn’t ask for a better payload,” explained Diachenko.