It seems that the incident was caused by an unsecured ElasticSearch server
As cybersecurity and digital forensics specialists from the International Institute of Cyber Security had assured, ElasticSearch servers, an Internet search technology, are about to become the new main source of massive data leaks.
The company most recently affected by security breaches on ElasticSearch servers is Sky Brazil, one of the largest pay television service providers in South America.
Fabio Castro, a specialist in digital forensics in Brazil, said that Sky Brazil left an ElasticSearch server exposed online for about ten days, possibly more. Castro says that at the end of November he discovered the server belonging to Sky Brazil, indexed by Shodan, the well-known search tool to track devices connected to the Internet.
Although initially the specialist did not know to whom the unprotected server (which could be accessed from two different IP addresses) belonged, when investigating the leaked information it was possible to infer the identity of the owners of the server. The digital forensics specialist mentions that the server stored records and API data that belonged to Sky Brazil. In total, Castro found 28.7 GB of login files and a 429.1 GB of API data.
Among the leaked data, the expert mentions, personal information files of over 32 million residential and commercial clients were found. Personal data includes names, addresses and phone numbers, birth dates, billing details, and encrypted passwords, as reported by Castro.
Castro mentions that he discovered the server last week, but has reason to believe that it may have been indexed by Shodan since mid-October at least. The specialist reports that he informed the company about this massive leak last week. Although the company has not communicated directly with Castro, he claims that the server was secured on Monday morning, Brazil time. In this way, the company expects to restrict access to this information from external users.
In the worst possible scenario, some malicious actor could have gotten the data from Sky Brazil, which could be very useful in online fraudulent campaigns (such as the known spear phishing attack). As it contains sensitive information of affected users, a campaign of this class is more likely to infect users with malware or obtain more sensitive details, such as login credentials or financial data.
This is not the first time that a Brazilian organization leaves an ElasticShare server exposed. A few weeks ago, the Sao Paulo Federation of Industries exposed personal information about 24 million people online.
According to experts in digital forensics, the main reason for these massive data leaks is that the administrators of ElasticShare servers do not configure the passwords of their servers, which are later exposed on the Internet, where any user with no specific knowledge can access, copy or download any information stored in cache.