- Exposed Elasticsearch cluster leaked 8.7 billion records of Chinese individuals and companies
- Data included PII, clear-text passwords and company registration information
- Cluster probably powered by data brokers; hosted on bulletproof provider, now locked after discovery
One of the biggest data leaks ever to happen in China has been discovered after security researchers from Cyber news reported encountering an exposed Elasticsearch cluster that contained more than 160 indexes.
These indexes had about 8.7 billion records, primarily of Chinese individuals.
The records contained all kinds of personally identifiable and sensitive data, including names, addresses, phone numbers, dates of birth, gender information, social media identifiers and plain text passwords. They also contained various corporate and business records such as business registration information, legal representatives, business contact information and registration addresses, and license metadata.
Long-term consolidation efforts
The researchers could not determine who is the owner of the database, so there is no confirmation whether this was a malicious act or not. Cyber news says the cluster is similar to what data brokers usually do, as it was highly organized and thoroughly segmented.
Since it was open for three weeks, it is possible that it has been picked up by threat actors in the meantime.
“Despite the short exposure window, the scale of the data set means that automated scraping during this period could have resulted in widespread secondary dissemination,” the researchers said.
The data mainly belongs to people in mainland China, but the victims are spread across several Chinese provinces.
The database may have been open for a few weeks, but it probably took much longer to harvest it all. Apparently this was not done in one go and the data was likely scraped from various sources.
“The presence of timestamps and import dates points to a long-term aggregation effort rather than a single historical break,” the team explained.
The investigators succeeded in finding the provider that hosted the cluster. It’s a bulletproof hosting company, “commonly associated with high-risk or non-compliant data operations.” After being notified, the provider locked down the database, it seems.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
