Despite several incidents of data exposure from unprotected servers, many firms still seem complacent towards database protection. Once again, an unsecured server exposed millions of records, including call logs and SMS, for months. This time, the incident links to a California-based VoIP provider VOIPO. Again, an unprotected ElasticSearch database seems responsible for this VOIPO data leak.
Millions Of Records Exposed In VOIPO Data Leak
A researcher found a huge database exposed publicly on an unprotected server. The database allegedly contained millions of SMS and call records and other sensitive data. Scratching the surface revealed that the data belongs to a US-based voice-over-IP service, VOIPO.
The researcher Justin Paine has shared the details about this VOIPO data leak in a blog post. Paine serves as the Director of Trust & Safety at Cloudflare.
As stated in his blog, he noticed an improperly secured ElasticSearch database via Shodan that contained millions of VOIP records.
“An improperly secured ElasticSearch database was recently discovered containing a huge volume of VOIP call logs, SMS/MMS message logs, and plaintext internal system credentials.”
In addition, the exposed data also included some internet system API key logs. Paine has also shared sample indices of the exposed data in his report.
Commenting about how easy it has become to find unprotected databases for the researchers, Stephan Chenette, CTO and Co-founder, AttackIQ, said to LHN,
“It does not take much for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect misconfigurations within cloud-tools like Amazon’s S3. Voipo’s misconfiguration left millions of call logs, text messages and other internal documents containing unencrypted passwords out in the open, compromising the account security of millions.”
VOIPO Gave A Shady Response
After the researcher discovered this VOIPO data leak, he reported the matter to the firm. Consequently, they acknowledged his report and shut down the unsecured database.
Besides, VOIPO has also published a detailed notice about this data breach. However, their response appears a bit shady, as they simply consider it a leakage from an isolated development server. While the researcher doubts the exposed data to be valid customer data, VOIPO considered it to be test data only.
“It primarily had some data for database load testing made up of call logs (partial numbers only), SMS messages our system flagged as SPAM and some general server log data.”
They also clearly stated their disagreement with some of his assumptions.
“We disagree with many of the assumptions and pieces of information in the article linked, but at the end of the day any potential exposure is unacceptable.”
Although, in their notice, VOIPO confirmed that the customer data remained secure. The repeated statement of the term “development server” makes their disclosure a bit shady. Ruchika Mishra, Director of Products and Solutions, Balbix, shared her thoughts with LHN,
“The millions of exposed call logs, text messages and other internal documents containing unencrypted passwords render the impacted individuals easy targets for threat actors engaged in account hijacking. Although Voipo claims there is no evidence to indicate a breach occurred, the company cannot guarantee that no unauthorized users accessed the data, especially since it was left unsecured and easily available for months. Voipo and its customers might still be secure if the company had early visibility into vulnerabilities across its entire attack surface — including passwords and unencrypted data — and been able to correct them right away.”
Nonetheless, the firm’s security notice also confirmed that the company will continue to investigate this VOIPO data leak.
Growing Incidents Of Cybersecurity Issues
A look at the incidents happened in the past, one can realize that the tech giants are not the only victims of cyber attacks and breaches. Rather, the criminal hackers do not even spare the smaller firms. The moment they find a vulnerability, they leverage the opportunity for their malicious purposes.
According to Rich Campagna, CMO, Bitglass, all large and small firms should pay attention to their IT resources. Commenting about this VOIPO data leak incident, Campagna said to LHN,
“Voipo is yet another example of a company that exposed massive amounts of sensitive consumer data because of a simple security mistake. Leaving a database publicly accessible is unacceptable – even smaller companies with limited IT resources must ensure that they are properly securing data. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage. Fortunately, leading cloud access security brokers (CASBs) boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.”
Is It Possible To Prevent Data Leaks From Unprotected Servers?
Data leakages and breaches from unsecured servers aren’t anything new now. In fact, a couple of months ago, a similar incident was reported with regard to Vovox as well. The firm exposed around 26 million customer records from an unsecured server. Besides, we have already reported several incidents of data exposure and breaches from Amazon S3.
The frequency of such incidents definitely raises concerns here. Is it really difficult for the companies to protect their databases and servers? Stephan Chenette told LHN,
“Misconfigured security controls are an all too common problem. Organizations are increasingly struggling with limited and undertrained IT resources that lead to using default account passwords, unpatched systems, and poorly configured network devices. Data leaks of any kind can undermine customer confidence and are usually caused by security issues. Or in Voipo’s case, technical errors, that are easily preventable. Unauthorized exposure of any type of customer data, for any period, is a serious issue and organizations should always have a plan to continuously assess the viability of their security controls.”
According to Ruchika Mishra, the firms should consider employing artificial intelligence and machine learning for better security.
“It is mathematically impossible for humans to conduct the continuous monitoring of all IT assets and infrastructure needed to stay ahead of all attack vectors—thus security platforms developed with artificial intelligence and machine learning are essential to support security teams, and proactively prevent breaches and data leaks such as this.”
Let us know your thoughts about this article in the comments section below.
