- Researchers have discovered 1.5 billion exposed records
- The registrations come mainly from Chinese social networks and e-commerce platforms.
- Victims are at risk of identity theft and social engineering attacks
CyberNews researchers have discovered an unprotected server with “hundreds of millions” of records, including major brand names such as Weibo and DiDi, among many others, with a total number of compromised records potentially at 1.5 billion.
The compromised data included personally identifiable information (PII), such as full names, email addresses, financial information, medical records, and phone numbers. The largest set of information was attributed to QQ Messenger, and the second largest was 504 million records credited to social media giant Weibo, although these were likely from previous leaks.
The largest data set with no known prior major leaks was from JD.com (Jingdong), a Chinese e-commerce company, and researchers discovered a staggering 142 million JD.com records in the case.
No clear indication of ownership
While some data was apparently exposed in previous data breaches, much of the information was “undoubtedly” compromised for the first time in this incident. This data set is most likely a combination of known exposed information and recently leaked data that was collected on a (now closed) Elasticsearch server.
According to researchers, the server was exposed for “several months” but was shut down after multiple disclosure notices.
The exposed instance shows “no clear indication of its true ownership,” which the researchers say suggests there may be malicious intent behind the collection of such a “large and diverse” data set.
A rich data set gives threat actors ample scope to carry out targeted attacks such as account hacking, sophisticated social engineering attacks, and identity theft.
Although the scale of the incident is enormous, it is potentially only the second data breach of this scale in recent memory, demonstrating the need for greater protection for businesses around the world.
