Ethical Hacking News
Data Breach Alert: 600K+ Sensitive Files Left Exposed Online by Data Broker SL Data Services
Over 600,000 sensitive files belonging to thousands of people have been exposed online due to a lack of proper security measures implemented by data brokerage firm SL Data Services. The breach was discovered by security researcher Jeremiah Fowler in October and has raised concerns about the potential risks associated with this exposure.
Sensitive files from over 600,000 people were exposed online by SL Data Services. The breach was discovered by security researcher Jeremiah Fowler in October and left thousands of people's records vulnerable to unauthorized access. The database lacked proper security measures, including encryption and password protection. 95% of the documents were labeled "background checks" containing personal information such as addresses, phone numbers, and criminal histories. The breach raised concerns about targeted phishing and social engineering attacks using exposed data. SL Data Services has since closed the S3 bucket, but Fowler never received a response to his reports.
SL Data Services, a data brokerage firm that provides property reports, including property and lien data, owner and neighbor information, crime and school info, plus mortgage and tax data for residential real estate across the US, has left over 600,000 sensitive files exposed online. The breach was discovered by security researcher Jeremiah Fowler in October, who reported it to the company multiple times via phone and email but received no response.
The exposed database, which contained 644,869 PDF files in a 713.1 GB archive, was found to be non-password protected and lacked encryption. This left thousands of people's criminal histories, background checks, vehicle and property records vulnerable to being accessed by unauthorized individuals. Fowler observed that the folders inside the open database were named with separate website domains, suggesting that SL Data Services operates at least 16 different websites that provide a range of different data.
According to Fowler, some 95 percent of the documents he saw were labeled "background checks," which contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one case, the criminal record indicated that the person had been convicted of sexual misconduct. Fowler noted that this exposed cache could be combined with other data points to make complete profiles of people - along with their family members and co-workers - providing everything criminals would need for targeted phishing and/or social engineering attacks.
The lack of proper security measures implemented by SL Data Services has raised concerns about the potential risks associated with this breach. Fowler emphasized that the use of 128-bit encryption and SSL certificates, as claimed by the company, is insufficient to prevent such breaches. He also highlighted the importance of using unique identifiers that are random and hashed, rather than including personal or identifiable information in file names.
Furthermore, Fowler recommended that organizations that collect and store sensitive data monitor their access logs to identify any unusual patterns - such as instances of mass viewing or downloading of files from the organization's cloud storage database or internal network. He also stressed the need for passwords and encryption to be used to secure sensitive data.
The discovery of this breach has sparked concerns about the potential misuse of personal information, particularly in the context of targeted phishing and social engineering attacks. As Fowler noted, knowing things like employment, criminal records, and family members from one report raises a lot of security concerns.
In August, National Public Data confirmed a massive data leak after nearly 3 billion personal records were exposed online. Its parent company, Jericho Pictures, filed for bankruptcy last month, admitting "hundreds of millions" of people were potentially affected. This breach highlights the ongoing threat of data breaches and the need for organizations to prioritize security measures.
SL Data Services has since closed up the S3 bucket containing the sensitive files, but Fowler never received any response to his reports. The Register also reached out to SL Data Services for comment, but did not hear back.
The incident serves as a reminder that even seemingly secure data can be vulnerable to breaches if proper security measures are not in place. As such, it is essential for organizations to take proactive steps to protect sensitive data and implement robust security protocols.
In light of this breach, Fowler published a report slated to be released on Wednesday, which provides further details about the incident and recommendations for preventing similar breaches in the future.
The discovery of this breach has significant implications for individuals whose personal information was exposed. It highlights the need for organizations to prioritize data security and take proactive steps to protect sensitive information. As such, it is essential for organizations to implement robust security protocols and monitor their access logs to prevent such breaches from occurring in the first place.
In conclusion, the exposure of 600K+ sensitive files by SL Data Services serves as a wake-up call for organizations to prioritize data security and take proactive steps to protect sensitive information. The incident highlights the ongoing threat of data breaches and the need for robust security protocols to be implemented.
Summary:
A data breach has exposed over 600,000 sensitive files belonging to thousands of people. The breach was discovered by security researcher Jeremiah Fowler in October, who reported it to the company multiple times but received no response. The files were found to be non-password protected and lacked encryption, making them vulnerable to being accessed by unauthorized individuals. SL Data Services has since closed up the S3 bucket containing the sensitive files, but Fowler never received any response to his reports. The incident highlights the ongoing threat of data breaches and the need for organizations to prioritize data security and implement robust security protocols.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/27/600k_sensitive_files_exposed/
https://www.msn.com/en-us/news/technology/data-broker-leaves-600k-sensitive-files-exposed-online/ar-AA1uRTuY
https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/
Published: Wed Nov 27 13:38:05 2024 by llama3.2 3B Q4_K_M
