Category Archives: data leak

Data Leak Exposes Instagram Influencers

A leaked database has compromised the personal information of more than 49 million Instagram users, including celebrities and “influencers.”

The information was found on an unsecured database hosted on an Amazon cloud server and includes public-facing information from Instagram accounts as well as personal details, including email addresses and phone numbers. Techcrunch, the website that initially broke the story, traced the database back to Chtrbox, a social media marketing firm based in Mumbai.

The database appears to have been initially compiled to determine relative costs and overall influence of each Instagram account.

The chief executive of Chtrbox declined to comment on the story.

See the initial Techcrunch news article here.

 

The post Data Leak Exposes Instagram Influencers appeared first on Adam Levin.

Data belonging to Instagram influencers and celebrities exposed online

A new data leak made the headlines, a database containing the contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The news was first reported by the TechCrunch website, a database was left unprotected on an AWS bucket, anyone was able to access it without authentication.

instagram

The unprotected database was discovered by the security researcher Anurag Sen that immediately reported its discovery to TechCrunch in an effort to find the owner.

“A massive database containing contact information of millions of Instagram  influencers, celebrities and brand accounts has been found online.” states TechCrunch.

“At the time of writing, the database had over 49 million records — but was growing by the hour.”

The database contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers, have, if they’re verified, their location by city and country, private contact information, the email address and phone number of the Instagram account owner.

Each record in the database also contained a field that calculated the worth of each account.

The list of influencers in the archive includes prominent food bloggers, celebrities and other social media influencers.

According to TechCrunch, the database belongs to India-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts.

Strangely two people contacted by TechCrucnh that confirmed the authenticity of the data in the archive denied any involvement with Chtrbox.

“We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts.” continues the website. “Neither had any involvement with Chtrbox, they said.”

TechCrunch contacted Chtrbox that secured the database, but it is not clear how the company obtained those data.

Facebook, that currently owns Instagram, announced it is investigating the incident.

“We’re looking into the issue to understand if the data described – including email and phone numbers – was from Instagram or from other sources,” reads a statement from Facebook. “We’re also inquiring with Chtrbox to understand where this data came from and how it became publicly available,”

In 2017, a vulnerability in the Instagram application that allowed hackers to access information for high-profile users including phone numbers and email addresses of 6 million celebrities.


If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – Instagram, data leak)

The post Data belonging to Instagram influencers and celebrities exposed online appeared first on Security Affairs.

Dozens of Linksys router models leak data useful for hackers

Dozens of Linksys router models are affected by a flaw that causes the leak of data that can be used by attackers …. and the company won’t fix it.

Security researcher Troy Mursch, Chief Research Officer of Bad Packets, discovered that over 20,000 Linksys wireless routers are leaking full historical records of every device ever connected to them.

The leaked information includes devices’ unique identifiers, names, and operating systems, clearly, these data could be abused by hackers for attacks.

According to Mursch, the root cause of the data leak is a persistent vulnerability that resides in dozens of models of Linksys routers. Unfortunately, the flaw is very easy to exploit, and it is possible.

The devices continue to leak the information even when their firewall is turned on.

The expert used the Binary Edge IoT search engine to find vulnerable devices, earlier this week he discovered 25,617 routers that were leaking a total of 756,565 unique MAC addresses.

The disclosure of the historical records of devices that have connected to a specific router exposes the users to attacks, the knowledge of MAC addresses could be abuse by APT groups in targeted attacks, like the recent supply chain attack against ASUS.

The situation could be worse if owners of the routers were using default admin credentials. The issue discovered by the expert, in fact, could be used by attackers to discover if the vulnerable routers are still using default administrative passwords.

Mursch discovered that about 4,000 of the vulnerable devices were still using the default admin credentials. The vulnerable routers have remote access enabled by default, a gift for hackers that can perform a broad range of malicious activities, such as change DNS settings and deliver malware.

Mursch reported the flaw to Linksys, but unfortunately, the company closed the issue as “Not applicable / Won’t fix.”

Mursch published the list of vulnerable devices released on Pastebin.

Linksys flaw

If you are using one of the vulnerable devices you would replace it.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database” 

If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you

Pierluigi Paganini

(SecurityAffairs – LinkSys, Data leak)

The post Dozens of Linksys router models leak data useful for hackers appeared first on Security Affairs.

Twitter inadvertently collected and shared iOS location data

Twitter confirmed revealed that a bug in its iOS app it the root cause for an inadvertent collection of location data and sharing it with a third-party.

A new story of a violation of the user’s privacy made the lines, Twitter revealed that due to a bug is collected and shared iOS location data with a third-party advertising company,

Fortunately, only one partner of the micro-blogging firm was involved and the data collection and sharing occurred in certain circumstances.

“We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.” reads the security advisory published by Twitter.

“Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,”

Twitter admitted having failed into removing the location data from the information shared with the trusted advertising partner that was accessing it during real-time bidding process. 

The company pointed out that location data its shared could not be used to track individuals because it had implemented technical measures to “fuzz” the information. Twitter explained that shared was no more precise than zip code or city (5km squared).

Twitter did not share users’ handles or other unique account IDs, this means that it was impossible to link the identity of a specific user to a geographic location. 

“The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter.” continues the announcement.

“This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner,”

Another good news is that the partner did not retain the data that was deleted “as part of their normal process.” 

Twitter

Twitter has already fixed the issue and notified the incident to all the impacted users, anyway it did not reveal the extent of the incident either for how long it shared the data with its partner.

“We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us. We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” concludes Twitter.

Pierluigi Paganini

(SecurityAffairs – privacy, data leak)

The post Twitter inadvertently collected and shared iOS location data appeared first on Security Affairs.

Unprotected DB exposed PII belonging to nearly 90% of Panama citizens

Personally identifiable information belonging to roughly 90% of Panama citizens were exposed on a poorly configured Elasticsearch server.

Security researcher Bob Diachenko discovered an unprotected Elasticsearch server exposing personally identifiable information belonging to nearly 90% of Panama citizens.

Exposed data includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.

The database contained 3.4 million records related to Panamanian citizens, labeled as “patients,” and 468,086 records labeled as “test-patient.”

“On May 10th I identified a massive bulk of data sitting in an unprotected and publicly available Elasticsearch cluster (hence visible in any browser).” reads the blog post published by Diachenko.

“This database contained 3,427,396 records with detailed information on Panamanian citizens (labeled as ‘patients‘), plus 468,086 records with records labeled as ‘test-patient‘ (although, this data also appeared to be valid and not purely test data).”

Panama Citizens data leak

The expert reported his discovery to CERT Panama, and within 48 hours the database has been secured.

At this time, it is unclear who was running the poorly secured server, anyway the exposed information appears to be authentic.

Querying the Shodan search engine service, the researcher discovered that the IP address associated with the unprotected server has been indexed since April 24th, 2019. Of course, it is impossible to determine if anyone else has accessed the data.

“The danger of having an exposed Elasticsearch or similar NoSql databases is huge.” concludes Diachenko. “I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.” “Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

Pierluigi Paganini

(SecurityAffairs – Panama, data leak)

The post Unprotected DB exposed PII belonging to nearly 90% of Panama citizens appeared first on Security Affairs.