Despite immediately acting to block the infiltration of the targeted business application, attackers' access between Aug. 3 and Aug. 6 enabled the exfiltration of individuals' names and other sensitive details.
More than 120,000 files and over 1.7 million activity logs leaked by the database revealed Confidant Health patients' psychiatry intake notes, medical histories, disclosures of alcohol and other substance abuse, moods, memory, medications, and overall mental state.
Individuals' full names, birthdates, phone numbers, ID numbers, email addresses, home addresses, vehicle identification numbers, car brands and models, engine numbers, and vehicle colors were leaked by the unsecured Elasticsearch instance.
Such malicious JavaScript code — which is potentially targeted at exfiltrating the credentials of Cisco employees who usually use the site during the checkout process — may have been deployed through the exploitation of the critical XML external entity injection vulnerability in Adobe Commerce dubbed "CosmicSting."
Security pros say while side-channel attacks are difficult to pull off, the sheer volume of YubiKey devices in use makes the potential threat a real concern.