San Diego, California-based Digital Point describes itself as the "largest webmaster community in the world," bringing together freelancers, marketers, coders, and other creative professionals.
On July 1, the WebsitePlanet research team and cybersecurity researcher Jeremiah Fowler uncovered an unsecured Elasticsearch database containing over 62 million records. In total, data belonging to 863,412 Digital Point users was included in the leak.
According to the team, names, email addresses, and internal user ID numbers were made publicly available.
In addition, internal records and user post details were stored in the open database. While examining the database to find out who the owner was, the researchers stumbled across sets of data relating to forum members who flagged posts and the reasons behind these reports -- including allegations of "bad business dealings," spam, and other reasons, some described as appearing to be "petty and personal."
Aside from the usual security ramifications of user data theft and phishing, the database could have become one of many to succumb to Meow Bot, an automated script that was responsible for the compromise of thousands of unsecured MongoDB and Elasticsearch databases in July. Once the script has been deployed, it overrides data with numbers and the word "meow."
"One of the dangers of a non-password protected database is that it is a sitting target waiting to be stolen, encrypted, or deleted," the team says.
Fowler sent a responsible disclosure notice to Digital Point on July 1, the same day the leak was discovered, by way of a suitable email address found within the database. The alert was taken seriously and access to the database was revoked within hours.
However, the forum did not communicate with the researchers or respond to follow-up requests.