Sky Brasil exposes data of 32 million subscribers

The cause of the data leak was an Internet-accessible ElasticSearch server that was left without a password.

As security experts predicted since last year, ElasticSearch servers --a technology for powering search functions-- are becoming the next big source of massive data leaks.

The latest company to be added to the list of breach incidents caused by an exposed ElasticSearch server is Sky Brasil, one of the biggest subscription television services in Brazil.

    Also: Cathay Pacific breach leaks personal data on 9.4 million people CNET

    For at least a week, and possibly more, Sky Brasil has left an ElasticSearch server exposed on the Internet without a password, ZDNet has learned from Fabio Castro, a security researcher based in Brazil.

    Castro told us that he discovered last week an ElasticSearch server belonging to Sky Brasil that had been left exposed online, and was subsequently indexed by Shodan, a search engine for finding internet-connected devices.

    sky-brasil-es-shodan.jpg
    Image: Fabio Castro

    While initially, Castro didn't know to who this server (accessible via two IP addresses) belonged to, the data contained within held all the clues he needed.

    The researcher says that server stored logs and API data that belonged to Sky Brasil. He found 28.7GB of log files and a whopping 429.1GB of API data.

    sky-brasil-es-content.jpg
    Image: Fabio Castro

    The latter, Castro told us, contained a treasure trove of personal information from both residential and business customers. Over 32 million, in total.

    Also: Why 31% of data breaches lead to employees getting fired TechRepublic

    The data contained names, home addresses, phone numbers, birth dates, billing details, and encrypted passwords, according to a sample the researcher shared with ZDNet.

    sky-brasil-es-user-data1.jpg
    Image: Fabio Castro
    sky-brasil-es-user-data2.jpg
    Image: Fabio Castro

    Castro said he discovered the server last week, but the server had been indexed on Shodan since at least mid-October. Castro also notified Sky Brasil about the leak last week.

    While the television station never answered Castro directly, the researcher told ZDNet the server was secured on Monday morning with what appeared to be a password, limiting external users from viewing its content.

    Sky Brasil did not reply to a request for comment that ZDNet sent the company yesterday, seeking more information on what happened, user notification procedures, and if someone else besides the researcher had accessed and potentially siphoned data from its systems.

    If, in the worst case scenario, an ill-intended hacker got hold of the Sky Brasil data, the information could be quite useful for highly targeted phishing campaigns that would contain personalized Sky Brasil subscriber information for each victim. Such campaigns will have a much higher chance of infecting users with malware or obtaining financial information.

    Sky Brasil isn't the first Brasilian entity that left an ElasticSearch server exposed online. Brazil's Federation of Industries of the State of São Paulo (FIESP) also exposed the data of 34.8 million users at the start of the month.

    Other ElasticSearch-based leaks reported this fall include fitness tracking biz FitMetrix (35 million records) and a yet-to-be-identified data analytics firm, which leaked info on over 57 million US citizens and 26 million companies.

    The root cause of all these ElasticSearch-based leaks is that server administrators don't set up passwords for their servers, which they later leave exposed on the Internet, where everyone can take a peek or download the data cached inside it.

    In a blog post published in 2013, five years ago, Elastic, the company behind the ElasticSearch technology, said that ElasticSearch servers aren't meant to be exposed on the Internet, and they've been developed to be deployed for use in internal networks primarily, hence the reason servers don't perform authentication or authorization in default setups.

    Related stories: