Experts Reaction On 1.2 Billion Records Were Found Online On An Exposed, Unsecure Single Server

News has broken that 1.2 billion records were found online on an exposed, unsecure single server. While it doesn’t include sensitive information such as passwords, credit card numbers, and Social Security numbers, it does contain profiles of hundreds of millions of people. This includes home and cell phone numbers associated social media profiles like Facebook, Twitter, LinkedIn and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.


EXPERTS COMMENTS
Ameesh Divatia, Co-Founder & CEO,  Baffle
November 25, 2019
Companies must address gaps in security due to human error and focus on more data-centric protection around the data values.
It is somewhat unique that the actual database was left exposed in this particular scenario. These continued breaches validate that more fail-safe protection methods need to be put in place to address gaps in the security model due to human error and data sharing with third parties. Companies need to have a stronger focus on data-centric protection around the actual data values, like record-level ....
[Read More >>]
Sammy Migues, Principal Scientist ,  Synopsys
November 25, 2019
In cryptography, algorithms are meant to be public and the keys are meant to be private.
In modern society, the algorithms that dictate much of what we see and hear are inscrutable and our widely-published personal information is the key to making those algorithms generate enormous amounts of revenue for the algorithm owners and arguable amounts of value for us. The reason this reality is less catastrophic than it could be is that everyone's private data is grist for the mill. If the ....
[Read More >>]
Tim Mackey, Principal Security Strategist,  Synopsys CyRC
November 25, 2019
If the data isn’t specific to the service being delivered (e.g. shipping address), then there is no shame in being blunt with the company.
This incident highlights multiple data privacy tenants. The most obvious of which being that given access to any data, organizations will find a way to use, and potentially misuse it. In this case, someone had access to user profile data from multiple social media platforms and then merged that data together with the combined data allowing users to be more readily identified. While the origin of t ....
[Read More >>]
Robert Capps, VP ,  NuData Security
November 25, 2019
Companies need to expedite the transition from credential and knowledge-based authentication.
Every day, we read headlines about new breaches and data exposures, so it is not surprising to come across places where this data is available for the taking. If anything, this finding should be a stark reminder that relying on credentials and personally identifiable information for user authentication is outdated. Bad actors compile the same user’s information from different breaches and then ....
[Read More >>]
Robert Ramsden Board, VP EMEA ,  Securonix
November 25, 2019
However, the data that was breached could expose individuals to identity theft, credential stuffing and phishing scams.
This data breach seems to just be the latest in what seems to be a never-ending string of incidents. Yet, the sheer volume of data that has been collected and left exposed online does make this one stand out. This data breach may not have included any sensitive data such as credit card numbers. However, the data that was breached could expose individuals to identity theft, credential stuffing and ....
[Read More >>]
Saryu Nayyar, CEO,  Gurucul
November 25, 2019
They say the data exposed is not sensitive, but I disagree.
At 1.2 billion records exposed, this is one of the largest data leaks ever, but of course they just keep getting bigger. The situation of today’s digital world is that an increasing volume of personally identifying information is being harvested whenever we interact with organisations online. Legitimate companies can collect data about us from sources all over the Internet, and then combine that ....
[Read More >>]
Tim Erlin, VP of Product Management and Strategy ,  Tripwire
November 25, 2019
We often worry about the exposure of sensitive data.
We often worry about the exposure of sensitive data, but in this connected world, it’s the connections that matter most. Personal data that isn’t exactly secret, and might even be public, takes on new meaning when collected and connected. Repositories like these are concerning, not only because of the data they contain but because as an industry we don’t really have a way to measure the impa ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
November 24, 2019
This latest exposure is like astronomy: billions and billions ceases to be personal or mean anything.
Once again the People Data Labs breach is a win for the black market and underground crime syndicates, as a treasure trove of personal information is available to criminals. As a society we have become inured to our personal data being exposed, and the real impact of stolen consumer data to individuals means a lot less today than it did five or ten years ago. Over the years, hundreds of billions o ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
November 24, 2019
We need vendors, cloud providers, and system administrators to adopt a more security-conscious mindset.
This incident is less of a data leak and more of a full-on data tsunami. The biggest challenge when these kinds of repositories are found is that it's near impossible to accurately identify who the owner is. It could be a company that legitimately records data or a third party tasked with compiling profiles, a researcher, or a criminal. Regardless of who set it up. the fact that its insecure and ....
[Read More >>]
Jason Kent, Hacker in Residence,  Cequence Security
November 24, 2019
Clearly this data has been amassed for a purpose, we can speculate on what that is.
That this sort of data, let alone the size of the database, is available is pretty frightening. Until now the database information has been contextual, such as financial data from a financial database breach for instance. Here we see a new and potentially dangerous correlation of data like never before. If your occasionally used Gmail account is used for Facebook, and someone finds out about it ....
[Read More >>]
Dvir Babila, Head of Product Management,  CyCognito
November 24, 2019
Troia noted in the original blog "all we can tell from the IP address (35.199.58.125) is that it is (or was) hosted with Google Cloud.
This is a massive breach and a major open question is who owned the server behind the breach. Troia noted in the original blog "all we can tell from the IP address (35.199.58.125) is that it is (or was) hosted with Google Cloud." Determining the ownership of IT assets that exist in the shadows like this requires a lot of fingerprints, and you have to associate those fingerprints with other IT asse ....
[Read More >>]
Stephan Chenette , Co-Founder and CTO,  AttackIQ
November 24, 2019
Companies must take on the responsibility of analyzing the security of their IT environments.
Unfortunately in this incident there are a still many unknown details including who owns this database. It’s only a matter of time before that information comes to light, but no matter the owner, database misconfigurations are relatively basic mistakes that have massive consequences, as this incident clearly demonstrates. While it is currently unknown if the Elasticsearch server was accessed by ....
[Read More >>]
Robert Capps, VP ,  NuData Security
November 24, 2019
Hackers are not able to mimic inherent user behavior online.
Everyday, we read headlines about new breaches and data exposures, so it is not surprising to come across places where this data is available for the taking. If anything, this finding should be a stark reminder that relying on credentials and personally identifiable information for user authentication is outdated. Bad actors compile the same user’s information from different breaches and then go ....
[Read More >>]
Sudhakar Ramakrishna, CEO,  Pulse Secure
November 24, 2019
A zero trust framework with orchestrated data protection mechanisms is necessary.
This type of data breach is alarming due to the sheer amount of personal information exposed and the potential fidelity added to social media attack vectors. There should be little comfort in the fact that credit card or SSN numbers were not exposed, given the massive volume of profiles and contact information of hundreds of millions of people. The harsh reality of today’s evolving threat landsc ....
[Read More >>]
Deepak Patel, Security Evangelist,  PerimeterX
November 24, 2019
ATO attacks can be devastating to users.
Data breaches have contributed to the rise in account takeover (ATO) attacks and as a result, have been one of the most significant drivers for changes in cybersecurity in recent years. Data breaches have resulted in billions of username and password combinations being available on the dark web. This plethora of credentials--which is now even larger due to this new exposure-- has resulted in a 65% ....
[Read More >>]
Salah Nassar, Vice President of Marketing ,  CipherCloud
November 24, 2019
The problem is the industry has not caught up to the simple fact that the perimeter has eroded.
1.2 billion records breached, add this to the billions of records made public over the last few years and the outcome is clear, there is no such thing as privacy in the cloud. With California Consumer Privacy Act just around the corner, this breach should be a cry for help or a battle cry for strict enforcement of data protection across all organizations collecting consumer data. For organizations ....
[Read More >>]
Willy Leichter, VP of Marketing,  Virsec
November 24, 2019
The data Genie is growing daily.
The data exposed appears to have been handled by at least two “data enrichment companies.” These organizations aren’t so different from the credit reporting agencies that collect our data. Oftentimes, we don’t know what’s in there, and there’s little recourse to correct it. Well-founded privacy concerns are the major impetus behind the California Consumer Privacy Act, GDPR & other stat ....
[Read More >>]
Mounir Hahad, Head ,  Juniper Threat Labs, Juniper Networks
November 24, 2019
It doesn’t take much in terms of configuration mistakes to grant full access to an online database.
Unfortunately our data is more and more being handled by small companies with little expertise in securing it. It doesn’t take much in terms of configuration mistakes to grant full access to an online database. Sometimes it is caused by shadow IT: even if your security team is on top of cybersecurity best practices, workarounds by other departments will land the database in an insecure online lo ....
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
November 24, 2019
It demonstrates the need to regulate data brokers.
This data is a goldmine for cybercriminals setting up large-scale spam, scam, and phishing campaigns. These massive databases, whether they're held by criminals or data brokers, are becoming more common. It demonstrates the need to regulate data brokers, and Vermont's 2018 Data Broker Regulation is a good example. It forces data brokers to register with the state, maintain minimum security standar ....
[Read More >>]
Colin Bastable, CEO ,  Lucy Security
November 24, 2019
Data farmers are not exactly making it hard for organized crime to run lucrative phishing, vishing and CEO attacks.
Once again, businesses are monetizing personal data on a massive scale, and abdicating responsibility for that data after it is sold. Data farmers are not exactly making it hard for organized crime to run lucrative phishing, vishing and CEO attacks. As well as all those “legit” calls, spam emails and texts, this data exposes people to significant risk of loss through cybercrime. Until consume ....
[Read More >>]
Keith Geraghty, Solutions Architect ,  Edgescan
November 24, 2019
Social media companies should also be doing more to make users aware of privacy options and how to adjust them.
The sheer amount of data that has been exposed is the issue here. Its concerning to have such a large database wide open in the wild. The type of data exposed is not sensitive in nature however to an attacker it can be gold dust. The data will allow for large scale phishing campaigns against users. The attack path will likely be the usual methods of delivery such as emails, profile impersonations ....
[Read More >>]

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :




In this article