July 29, 2020updated 06 Aug 2020 4:52pm

Nordpass: Ten billion user credentials left exposed in unsecured databases

By Ellen Daniel

Over ten billion user credentials have been left exposed online thanks to unsecured databases.

This is according to NordPass. As part of in-depth research, the password manager, in partnership with a white hat hacker who scanned elasticsearch and mongoDB libraries looking for unprotected databases, discovered 9,517 unsecured databases containing 10,463,315,645 entries. This included data such as emails, passwords and phone numbers from 20 different countries.

Of the almost 10,000 unsecured databases NordPass discovered, almost 4000 were from China, with the US having 3000 unsecured databases and India having 520.

NordPass estimates that data related to 2.6 billion users could be included in the databases.

Unsecured databases are data sets stored on cloud hosting services that have not been properly secured, meaning they can be accessed by unauthorised users. This means that a cyber criminal would not even have to breach an organisation to access data, but could simply find it unprotected online.

Data repositories, such as Amazon Web Services’s AWS S3 bucket, have led to many accidental data leaks when customers leave them public instead of private.

Finding exposed databases is also fairly straightforward, with search engines such as Censys or Shodan scanning the web for them.

Even if financial information is not included, hackers can use information found on unsecured databases to carry out phishing or social engineering attacks. The inclusion of passwords in unsecured databases also makes it easy for attackers to breach victims’ online accounts.

Unprotected databases have been the reason behind some high-profile data leaks, such the incident last year in which millions of Facebook records, including passwords, were left exposed on a public Amazon server.

Earlier this year, Verdict uncovered an unsecured server that left the personal data of 17,379 yachting industry professionals exposed.

“Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data,” says Chad Hammond, security expert at Nordpass.

“Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management.

“Identity management is another important step and should be used to ensure that only the relevant people in an enterprise have access to technological resources.”


Read more: We’d change AWS S3 bucket security if we had “a time machine”: AWS director.


Verdict deals analysis methodology

This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,