TechCrunch reported a large scale bank loan and mortgage data leak on Wednesday[1]. Following up with that today[2], they’ve reported that the data leak game from an exposed Amazon S3 storage server using ElasticSearch, that didn’t have a password.

This is a good example of data leakage coming from unsecured data, rather than a specific vulnerability. In just 2018 alone, this sort of leak happened several times across multiple large scale organizations[3][4][5].

We have a number of “Unrestricted Access” plugins[6] that can help you look for potential issues like these. In addition to those, you’ll also always want to make sure that you don’t have anything showing in our “default password” list[7] since that’s the same as not having a password at all in the wide world of ribbon tables!

[1]https://techcrunch.com/2019/01/23/financial-files/

[2]https://techcrunch.com/2019/01/24/mortgage-loan-leak-gets-worse/

[3]https://www.itpro.co.uk/cloud-storage/32484/unsecured-server-leaks-details-of-32-million-sky-brazil-subscribers

[4]https://www.zdnet.com/article/data-management-firm-veeam-mismanages-own-data-leaks-440m-email-addresses/

[5]https://www.zdnet.com/article/data-of-nearly-700000-amex-india-customers-exposed-via-unsecured-mongodb-server/

[6]https://www.tenable.com/plugins/search?q=%22Unrestricted%20access%22%20AND%20plugin_type%3A(remote)%20AND%20script_family%3A(%22CGI%20abuses%22%20OR%20%22CGI%20abuses%20%3A%20XSS%22%20OR%20%22Cloud%20Services%22%20OR%20Firewalls%20OR%20%22Web%20Servers%22%20OR%20Windows)&sort=&page=1

[7]https://www.tenable.com/plugins/search?q=%22default%20password%22&sort=&page=1