As ElasticSearch based leaks become the latest source of massive data exposures, Sky Brasil, one of the biggest subscription television services in Brazil, is the latest to leave its customers exposed after not securing the server with a password.
Independent researcher Fabio Castro found the firm exposed the data of 32 million subscribers in 28.7GB of log files and a 429.1GB of API data that revealed names, home addresses, phone numbers, birth dates, client IP address, payment methods, and encrypted passwords.
"The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods," Castro told BleepingComputer. "Among other information the model of the device, serial numbers of the device that is in the customer's home, and also the log files of the whole platform."
Although Castro discovered the incident and notified Sky Brasil last week, the server has been indexed on Shodan since at least mid-October and it’s unclear how many have had access to the database although it has been password secured since Monday morning.
NuData Security Vice President Ryan Wilk said the year has been a particularly bad year for news of the “non-breach ‘breach’” of sensitive user PII data.
“The unfortunate mishandling of trusted data by Sky Brasil, and before that Deep Root, data.gov.uk, and WWE continues to show that sophisticated hacking is not required to obtain troves of identity data that can be used to create fraudulent identities or access online personas,” Wilk said. “We have hit a turning point where financial and identity cyber crime has become something that a person with the most basic computer skills can dabble in.”
Wilk added that firms should rethink how they protect and identify users by making data valueless using advanced techniques such as passive biometrics and behavioral analytics that identify users by their online behaviors.
“Understanding the user behind the device is key in effect devaluing the stolen identity data to any other person or entity," Wilk added.
Earlier this week and ElasticSearch server exposed the data of nearly 57M U.S. residents and in another incident London-based Urban Massage app leaks data on 300K customers, including sexual misconduct claims.