The Telegraph has leaked 10TB of data containing subscriber information, after failing to secure one of its databases.
Discovered on September 14, 2021, by security researcher Bob Diachenko, the exposed information included internal logs, full subscriber names, email addresses, device info, URL requests, IP addresses, authentication tokens, and unique reader identifiers.
Diachenko confirmed that at the time of his review atleast 1,200 unencrypted contacts were accessible without a password.
Many of these contacts concerned registration information of Apple News subscribers, and also included passwords in plaintext form.
Upon discovery, The Telegraph were contacted immediately, and the database was secured two days later.
The instance was indexed on specialised search engines on September 1, thus the period of exposure is atleast three weeks - enough time for threat actors to exfiltrate the contained data.
In a statement, The Telegraph said:
”We became aware of this discovery on 16 September and took immediate action to secure the data. An investigation showed that only a small number of records were exposed – less than 0.1% of our users and we have contacted all the users to advise them. The investigation also concluded that whilst the data was exposed it was not breached other than the discovery posted by the researcher. We are grateful for the work of independent researchers who responsibly disclose vulnerabilities and exposures and who are vital in our continued work to protect our assets.”