California voter database leaked again, with more data at risk
On Jan 31st, analysts at Kromtech Security received a Shodan-based breach report with the information that a 95.1GB MongoDB instance has become public on Jan 19th. Meaning that anybody with the Internet could have accessed the database without any password or login. At the point when we received the report, database had been taken offline, but report on the type of data is still available through Shodan.
Upon closer look at the samples from the database, it appeared to be part of The Sacramento Bee digital media department, with many datasets attributing to their internal systems (API, subscribers, even letters to editors).
The California based news outlet was founded in 1857 and has won six Pulitzer Prizes and has received numerous other awards in the companys long history. This is an interesting look into how complicated it can be when traditional media moves into the digital media sphere. The challenges of data security today are far more serious than when sensitive information could be locked away in file cabinets in a secure locations. Today, anyone with an internet connection can gain access to highly personal data and organizations are far behind when it comes to data security.
What The Database Contained:
Legislation data (bills, committees, voting results etc.)
Letters to editor, readers opinions, restaurant reviews and info
The SacBee internal systems info (URLs, internal keys, user agents info, admin credentials etc)
Data visualization info (everything from most commonly used baby names in the area to lobbyist pay info)
The SacBee API info (incl. subscribers and clients info)
State pay info
Special part of the database was registered voters database for the entire state of California - 19,501,258 records.
Ironically, we have already reported similar database leaked from an unknown source back in December: https://mackeepersecurity.com/post/cyber-criminals-steal-voter-database-of-the-state-of-california
The interesting relation between the two is that the voter database found in 2017 had been stolen by hackers who demanded a ransom to return the data. The latest discovery also may have been targeted by hackers or a ransomware attack. The database has been labeled as 'compromised' shortly after it become publicly available and now not accessible but according to Shodan report it contained a "Warning" and 'Readme' note- which is usually a ransomware note.
Unfortunately, businesses and organizations continue disregard basic security rules when it comes to cloud repositories with a public-facing interface. Misconfigured MongoDBs and AWS S3 buckets are among the most reported cases of data leaks for the last year and 2018 seems to be another challenging year for companies struggling to keep their data safe but forgetting about simple cyber hygiene rules.
Is Any Data Really Safe?
It seems that everytime we turn around there is another data breach or hacking that exposes countless thousands or millions of users online. Or perhaps a company that exposes all of their internal data and proprietary information? How safe is our data online? That is a hard question to answer because it evolves daily and the always changing threat landscape there is no one size fits all solution for data security.
However, there are many things that admins can do to make their storage repositories more secure. One such solution is to use the free open source tool that Kromtech Security Center released to scan Amazon S3 buckets for public accessibility within your network. The tool gives users a report that they can then use to shut down any unwanted public access to the S3 buckets and the valuable data they contain. The Kromtech S3 Inspector tool provides an extra layer of security that administrators can use to identify unwanted access by unauthorized users.
The bottom line is that now more than ever is the time to take data security seriously. When it comes to media and journalism it is extremely important to protect the confidential sources and those who provide anonymous tips. A simple database or cloud storage repository leak can expose much more than user data and be a serious threat to the safety anonymous sources. This is yet again a wake up call for organizations to audit their storage repositories and ensure they are using the most up to date security practices.
This story is still unfolding and will be updated soon.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org