Ten billion user credentials exposed in unsecured databases, research finds
29 July 2020 | 0
Exposed databases are widespread across the web, according to research from password manager, NordPass. Researchers have identified a total of 9,517 unsecured databases containing more than 10 billion entries with data such as emails, passwords, and phone numbers.
Such databases were found across 20 different countries. China came out on top of the list, with nearly 4,000 exposed databases, meaning 2.6 billion users have potentially had their accounts breached. The US came second, with near 3,000 unsecured databases and 2.3 billion entries made available online. India was third, with 520 unsecured databases and 4.8 million entries. Ireland placed twelfth, with 123 exposed databases and almost 4 million detected entries.
While some this data may only be used for testing, the report said much of it could be damaging if exposed. Indeed, some of last year’s largest data leaks were result of exposed databases. Millions of Facebook records were exposed on a public Amazon server last April, for example.
Searching for exposed databases may seem complex, however NordPass claims that the process is quite straightforward. Search engines like Censys or Shodan scan the Web constantly and let anyone view open databases in just a few clicks. If the database managers used default logins, it claims getting into the database would be simple. “With proper equipment, you could easily scan the whole internet on your own in just 40 minutes,” said Chad Hammond, security expert at NordPass.
NordPass also highlighted the phenomenon of ‘Meow attacks’, which wipe unsecured databases clean. Hammond estimates that 39% of all databases have already been hit by one of these ransomware attacks. “These kinds of attacks are very frequent,” said Hammond. “Usually, the attacker asks for ransom. This attack seems to be different only because the hackers deleted the data instead of asking for ransom.
“The Meow attack against unsecured databases should only reinforce the need for proper data security. And while some of the affected databases only contained testing data, the Meow attack targeted some high-level victims, among which was one of the biggest payment platforms in Africa.”
Database security essentials
As such, data security and protection should be top priorities. “Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data,” said Hammond.
“Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management. Data can be exposed to risks both in transit and at rest and therefore requires protection in both states. While there are several different approaches, encryption plays a major role in data protection and is a popular tool for securing data both in transit and at rest.
“Nevertheless, all data should be encrypted using trusted and robust algorithms instead of custom or random methods,” continued Hammond. “It’s also important to select appropriate key lengths to protect your system from attacks. Identity management is another important step and should be used to ensure that only the relevant people in an enterprise have access to technological resources. Finally, every company should have a local security team responsible for vulnerability management and able to detect any vulnerabilities early on.”
For users looking to protect themselves against the threat, Hammond asserts the value of strong passwords: “The fact that we have more than 10 billion passwords up for grabs should only encourage people to think of strong, lengthy passwords. If your password is “12345”, no firewall in the world will protect your data. Your password shouldn’t be a dictionary word either – an average person uses only about 20,000-30,000 words, so chances are that all of them are already among those 10 billion.”