Cognyte has gathered more than 5 billion names, email addresses, physical addresses and passwords in a single database. The problem is, she did not secure it very well.
5 billion entries, gathered in a single database, itself exposed to the entire Internet without protection. Here is the pretty dumpling made by the Israeli company Cognyte. Fortunately, she was able to repair it on June 2, 2021, 3 days after being notified by researchers at Comparitech.
Each of the 5 billion entries contains a lot of various information, including names, addresses, passwords or even email addresses. The peculiarity of these data? They themselves come from leaks recovered by Cognyte on black markets. Moreover, the source of each data – that is to say the company from which the initial leak came – is indicated in the database.
Cognyte has gathered this treasure of information to fuel its service of ” cyber intelligence ”, Similar to that offered by many companies in the sector. Concretely, Cognyte searches for the data of its customers among the information exchanged in cybercriminal circles and, if necessary, it warns the victims of the leak. The discovery of the incident makes it possible to trigger a change of password, a reinforcement of the measures against phishings or the launch of internal prevention campaigns.
This episode recalls that of the publication of the base nicknamed “mother of all leaks” which had generated a media panic. If the leak were to be exploited, it would not be very dangerous. The data has been on the run for several months or years, and it has probably already been exploited. Still, a part of it might still have some value, and Cognyte’s work of collecting could offer new perspectives to a handful of cybercriminals (if they managed to get hold of the base before the leak was fixed. ).
A classic error exposes 5 billion data
To run its “cyber intelligence” service, the Israeli company has accumulated all the data it has collected on a single ElasticSearch server. Basically, this technology is similar to a giant Excel file, which allows analysis on very large volumes of data. But if Elasticsearch is renowned for its efficiency, it is just as famous for the very regular failures of its users.
If they’re not tech-savvy enough, they may simply forget to password-protect port 9200 on the server, so anyone with their IP address can connect to it. The visitor will have access to all the content, and can decide to download or modify it. There are many examples of incidents: a BDSM forum, a French startup, a clairvoyance site or even a dating app. Even industrial giants like Microsoft or Razer have already made the mistake. Worse, the cybercriminals who exploit these leaks… themselves forget to correctly configure their servers.
It is highly probable that the database has been downloaded
As you will have understood, this pitfall is recurrent and therefore well known to criminals such as cybersecurity researchers, to the point that some build their careers around the search for this type of leak. Results: According to an experiment conducted by Comparitech, a server is visited less than 10 hours after it has been exposed, and a few days later, hundreds of people have visited it. This is why even if Cognyte cannot identify whether the thugs took advantage of their escape, it is a strong possibility.
After a certain amount of time the server is exposed, free search engines (the most famous being Shodan) end up indexing it. This is how Comparitech found Cognyte’s server on May 29, a day after it appeared on search engines. After this step, the probability that no one has seen the leak is extremely low.