Brazil’s largest subscription television services company, SKY Brasil, leaked private data of 32 million customers on ElasticSearch, a search engine favored by enterprises, reported independent security researcher Fabio Castro on Twitter last week.
Castro was able to easily access it on the open source search engine’s server, and found 28.7GB of log files and 429.1GB of API data, the latter exposing personally identifiable information such as customer name, email address, service login password, client IP address, payment methods, phone number and street address. The telecommunications company has a variety of customers, including high-ranked politicians, governors and government employees, whose data may have also been compromised. Castro is himself one of the customers affected by the leak.
The cache was left available online since mid-October, long enough to have given an attacker time to access the data and manipulate it for illicit activities. The researcher used the search engine Shodan to search for ElasticSearch servers in Brazil and found an entire batch with no password protection or other authentication enabled.
“The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client IP addresses, personal addresses, payment methods,” Castro said in an interview with BleepingComputer. “Among other information the model of the device, serial numbers of the device that is in the customer’s home, and also the log files of the whole platform.”
Castro says he immediately informed the company about the security incident.
SKY Brasil, owned by Vrio, produces TV content and has a number of TV channels in its portfolio.
This is not an isolated incident involving ElasticSearch server leaks. Also recently detected was a similar incident that compromised the data of 57 million US residents.