A UK-based cybersecurity firm that threatened legal action against a security blogger has confirmed that a contractor temporarily exposed a database containing five billion email addresses and passwords collated from previous data breaches.
Keepnet Labs collects historic breach data from “online public resources” so that it can notify its customers if their business domain has been compromised. This is a common and entirely legal method used by threat intelligence services.
In March 2020, a third-party IT service provider employed by Keepnet Labs carried out “scheduled maintenance” of the data breach database, according to a statement published yesterday by Keepnet Labs.
While migrating the ElasticSearch database, the engineer responsible disabled “the firewall for approximately 10 minutes to speed up the process”.
During this time the database was indexed by BinaryEdge, an internet indexing service. The following day, security researcher Bob Diachenko was able to access the data without requiring a password “via an unprotected port”.
Diachenko downloaded 2MB of data from the 867GB database and was able to confirm that the data came from prominent historic data breaches, including those of Adobe, Twitter and LinkedIn.
The “well-structured data” included the source of the breach; the year the breach was made public; breached email address; breached passwords or hashes and the format of the breached passwords (e.g. plaintext, encrypted or hash).
All of the data was previously publicly available from breaches that took place between 2012 and 2019. The database contained no Keepnet Labs customer data.
Diachenko identified Keepnet as the owner of this database from the SSL certificate and reverse DNS records and notified the security firm “immediately”.
“Within an hour” of Diachenko sending the email the database was taken offline, despite receiving no reply from Keepnet. The firm said it did not initially reply to Diachenko’s alert email because it landed in Keepnet’s spam folder.
Keepnet said the reason he was unable to access the mega-database was because “it was only exposed for a very short period of time during the migration”.
However, according Diachenko, the database was indexed on the 15 March and discovered by him on the 16 March. This would mean the database was unprotected for as long as 24 hours.
Verdict has asked Keepnet Labs for clarification on this timeline.
Scrubbing Keepnet’s name from the internet
In the following days several media outlets and blogs reported the exposure of the Keepnet Labs database. Like Diachenko, these articles named Keepnet Labs.
During the following three months all of the stories removed any mention of Keepnet Labs from their reporting.
“There are articles online connected to this event that contain inaccuracies which could be misleading – many of these posts have now been amended, but we would like to set the record straight,” said Keepnet in its statement.
Independent security expert and blogger Graham Cluley, one of those to publish Keepnet’s name, was threatened with legal action if he did not remove all mentions of the company from his blog post.
Correspondence seen by Verdict shows that Cluley gave Keepnet several opportunities in March and April to provide a statement to include in his article. Keepnet declined to do so and insisted that he remove their name from the post.
On 2 June Cluley received a “notice and take-down letter” from Keepnet’s lawyers, Silvine Law.
The letter, seen by Verdict, insisted that “no data of the customers of our client had been exposed”. However, at no point in Cluley’s blog post did he state that Keepnet customer data had been affected.
It also stated that “any allegation that 5 billion records were exposed by our client is entirely fabricated”, pointing the finger at the contract with the third-party IT provider maintaining the database.
Following the legal threat, Cluley redacted Keepnet’s name from his post.
“I hope readers will accept my apologies for what is clearly unsatisfactory, but I can ill-afford to get embroiled in a legal fight,” he wrote in the updated version.
Cluley told Verdict that he welcomed Keepnet Labs publishing a statement about the data exposure.
“Disclosures of failure can be painful, but they ultimately are less embarrassing and damaging than cover-ups. Most of us in the industry accept that accidents can happen, and mistakes can occur. We should own up to our mistakes in a prompt fashion and lead by example,” he said.
“Keepnet Labs would have done well to publish its statement at the time the breach was disclosed and work with the news agencies to give their side of the story. As it is their failure to respond in a timely and transparent fashion made it a much bigger deal.”
Keepnet Labs said it will no longer use the third-party IT service management firm; has deleted 4.8 billion records it considered surplus to requirements and now conducts 24/7 monitoring of its threat intelligence software.
Breached passwords stored by Keepnet are now “obfuscated”.
“We recognise that even though the passwords are available on the internet, we do not actually require them and the threat intelligence service is not degraded as a result,” the company said.
“We accept that for the period the firewall was disabled by the service provider, those individuals were at increased risk on the basis that there was another duplicate copy of the data online for those with the technical skills to access it. For this, on behalf of Keepnet Labs and the service provider, we are very sorry.”