Yet Another Exposed Database, This Time with 184 Million Records – Source: securityboulevard.com

I had hoped by now we’d be long past the discovery of exposed or misconfigured databases, considering how dangerous they can be to businesses, governments and individuals—and given the heightened security measures that most organizations have implemented to secure sensitive data and prevent such exposure. But here we are again—and this time the exposure is massive. And a bit of a headscratcher for Jeremiah Fowler, the security researcher who found it in May. 

The exposed Elastic database contains an impressive 184 million-plus records, including logins and credentials for Apple, Facebook and Google accounts. To make matters worse, the accounts are linked to various governments.

Calling the discovery “yet another stark reminder that data exposure doesn’t always stem from a breach, it often results from gross negligence in basic security hygiene,” Heath Renfrow, CISO and co-founder at Fenix24, maintains that because “this trove included logins for major platforms like Apple, Google and Microsoft, as well as government-related accounts, highlighting how widespread and dangerous this issue is.”

The database appears to be a compilation of information that may be the work of researchers who were looking into some malicious cyber activity, according to Wired, which first reported the discovery. But this is where the whole affair takes on an air of mystery. Fowler hasn’t been able to determine where the data came from or who put it there. The trail just went cold. And that’s not typical.

“This is probably one of the weirdest ones I’ve found in many years,” Wired quoted Fowler, who figures the database is the work of cybercriminals using an infostealer. Regardless, the risk is clear.

The researcher also contended in the report that “as far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.”

And indeed, Darren Guccione, CEO and co-founder of Keeper Security, says the contents of the database “provides countless opportunities for malicious cybercriminals to leverage the data” and warned bad actors “have certainly already used” the login information.

Renfrow agrees that the exposed credentials “are already in circulation” and “will be weaponized for credential stuffing, phishing and targeted attacks.” He also cautions that even if an organization’s systems weren’t breached directly, those people who reuse passwords “now represent a critical threat vector.” And systems, whether government or enterprise, could be at risk if the credentials found in the database have been used by those employees or contractors “with elevated access.”

That makes it all the more important for organizations and individuals to act quickly if their credentials were in the database—taking remedial action now, Guccione says, then following with proactive methods to guard against future attacks.

He recommends a multilayer approach to cybersecurity that includes proper credential management to fend off resulting cyberattacks and the use of a password manager and MFA. “For organizations, a zero-trust approach, combined with least-privilege access and Privileged Access Management (PAM), further reduces risk by limiting attackers’ ability to move laterally or exploit high-value accounts,” says Guccione. “Automated credential rotation and zero-standing privilege controls using a PAM solution mitigates the attack surface and provides robust access controls for privileged resources.”

Renfrow explains that organizations should carefully “monitor for credential stuffing and abnormal logins using behavioral analytics and IP reputation tracking” and suggests using tools like HaveIBeenPwned’s API to “cross-refence internal directories against exposed credentials.”

The human factor, of course, can be the weakest link, so both employees and customers should be made aware of the breach, as well as the company response and advice for next steps. 

An exposed database of this nature indicates a bigger issue for companies and agencies in the way they think about and approach security. “This incident reflects the ongoing failure to treat identity as the new perimeter,” says Renfrow. “Organizations must shift to a mindset where they assume compromise and build layered defenses accordingly.”