Volcados de datos de ElasticSearch - Historial de revisiones

Epsilon: /* Honda */

2025-05-29T12:49:36Z

Honda

Epsilon en 12:46 29 may 2025

2025-05-29T12:46:48Z

Epsilon: /* Exactis */

2025-05-29T12:43:21Z

Exactis

Epsilon: /* Listado de empresas conocidas que sufrieron robo de datos en ElasticSearch */

2025-05-29T12:39:56Z

Listado de empresas conocidas que sufrieron robo de datos en ElasticSearch

Epsilon en 12:34 29 may 2025

2025-05-29T12:34:26Z

Epsilon: Página creada con «Entre 2019 y 2023 numerosas empresas pusieron ElasticSearchs en producción sin el plugin de seguridad (por que no se facilitaba sin pagar), en vez de poner un proxy delant…»

2025-05-29T12:32:20Z

Página creada con «Entre 2019 y 2023 numerosas empresas pusieron ElasticSearchs en producción sin el plugin de seguridad (por que no se facilitaba sin pagar), en vez de poner un proxy delant…»

Página nueva

Entre 2019 y 2023 numerosas empresas pusieron ElasticSearchs en producción sin el plugin de seguridad (por que no se facilitaba sin pagar), en vez de poner un proxy delante que se ocupara de garantizar la seguridad, al estar la API administrativa accesible (a veces incluso con credenciales por defecto como elastic/elastic) se produjeron numerosos ataques.

== Listado de empresas conocidas que sufrieron robo de datos en ElasticSearch ==

=== Sky Brazil ===

As ElasticSearch based leaks become the latest source of massive data exposures, Sky Brasil, one of the biggest subscription television services in Brazil, is the latest to leave its customers exposed after not securing the server with a password.
Independent researcher Fabio Castro found the firm exposed the data of 32 million subscribers in 28.7GB of log files and a 429.1GB of API data that revealed names, home addresses, phone numbers, birth dates, client IP address, payment methods, and encrypted passwords.
"The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods," Castro told BleepingComputer. "Among other information the model of the device, serial numbers of the device that is in the customer's home, and also the log files of the whole platform." <ref>https://www.scworld.com/news/sky-brasil-one-of-the-biggest-subscription-television-services-in-brazil-is-the-latest-elasticsearch-server-user-to-leave-its-customers-exposed-after-not-securing-the-server-with-a-password</ref>

== Referencias ==

<references />

@@ Línea 33: / Línea 33: @@
   On December 11th, 2019, I have identified an open and unprotected Elasticsearch cluster with 976 millions of records which appeared to be part of Honda North America infrastructure, exposed online to anyone with a web browser.
   An estimated 1 million records* in the database contained information about Honda owners and their vehicles.  No password or other authentication was needed to access the records, which included names, contact details, and vehicle information. <ref>https://securitydiscovery.com/honda-exposes-vehicle-owner-records-on-the-web/</ref>
 == Referencias ==
 <references />

← Revisión anterior		Revisión del 12:46 29 may 2025
Línea 1:		Línea 1:
−	Entre 2019 y 2023 numerosas empresas pusieron ~~ElasticSearchs~~ en producción sin el plugin de seguridad (por que no se facilitaba sin pagar), en vez de poner un proxy delante que se ocupara de garantizar la seguridad, al estar la API administrativa ~~accesible~~ (a veces incluso con credenciales por defecto como elastic/elastic) se produjeron numerosos ~~ataques~~.	+	Entre 2019 y 2023 numerosas empresas pusieron ElasticSearch en producción sin el plugin de seguridad (por que no se facilitaba sin pagar), en vez de poner un proxy delante que se ocupara de garantizar la seguridad, al estar la API administrativa accessible (a veces incluso con credenciales por defecto como elastic/elastic) se produjeron numerosos volcados. El patrón siempre era algo así:
		+
		+	* Un bot o un humano busca en el puerto 9200 de DNS o IPs conocidos si estaban los endpoints de Elastic
		+	* Si lo estan intenta acceder sin AUTH, si no funciona prueba con elastic/elastic o similares
		+	* Si estan lanzan comandos de listado de indices y posteriormente de batch download
		+	* Si el que hizo el ataque fue un bot seguramente formaba parte de un indexador (crawler) web como Shodan y días después algún curioso lo encontró y lo denunció
		+	* En los casos en que los dumps no estaban asociados a su ip o dns de origen a veces resultaba difícil averiguar la empresa pero casi siempre habia algun dato que hacía inequívoco ubicar la fuente del dump.

	== Listado de empresas conocidas que sufrieron robo de datos en ElasticSearch ==		== Listado de empresas conocidas que sufrieron robo de datos en ElasticSearch ==

@@ Línea 22: / Línea 22: @@
   Troia discovered this database on a lark with a quick search. What are the odds that people who make their livings peddling stolen information--or taking advantage of it to support more criminal activities--didn't find such a poorly safeguarded trove of personal data? That means a significant portion of the U.S. population (roughly 70 percent) likely had some of their records compromised because of Exactis. We might never know definitively if Troia was the first to discover these databases or merely the first to publicly disclose it.
   The good news is that Exactis doesn't appear to have leaked financial information, Social Security Numbers, or similar highly sensitive data. The information it does collect could still be used by scammers or other attackers, but it's not a direct threat to someone's financial health. Wired reported that Exactis secured the databases after Troia revealed the problem, which should mean it can't be accessed by anyone else. However, the company hasn't publicly acknowledged the incident, so we don't know exactly what precautions it's taken. <ref>https://www.tomshardware.com/news/exactis-data-breach-leak,37381.html</ref>
 == Referencias ==
 <references />

@@ Línea 16: / Línea 16: @@
   While the source of the leak was not immediately identifiable, the structure of the field ‘source’ in data fields is similar to those used by a data management company Data & Leads Inc. However, we weren’t able to get in touch with their representatives.
   Moreover, shortly before this publication Data & Leads website went offline and now is unavailable. <ref>https://hackenproof.com/blog/industry-news/new-data-breach-exposes-57-million-records</ref>
 == Referencias ==
 <references />

@@ Línea 8: / Línea 8: @@
   Independent researcher Fabio Castro found the firm exposed the data of 32 million subscribers in 28.7GB of log files and a 429.1GB of API data that revealed names, home addresses, phone numbers, birth dates, client IP address, payment methods, and encrypted passwords.
   "The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods," Castro told BleepingComputer. "Among other information the model of the device, serial numbers of the device that is in the customer's home, and also the log files of the whole platform." <ref>https://www.scworld.com/news/sky-brasil-one-of-the-biggest-subscription-television-services-in-brazil-is-the-latest-elasticsearch-server-user-to-leave-its-customers-exposed-after-not-securing-the-server-with-a-password</ref>
 == Referencias ==
 <references />