- 1.5 billion exposed documents have been discovered by researchers
- Records mainly come from Chinese social media and e-commerce platforms
- Victims are at risk of identity theft and social engineering attacks
CyberNews researchers discovered an unprotected server containing “hundreds of millions” of records, including major brand names such as Weibo and DiDi, among others – with the total number of records compromised as high as 1.5 billion.
The compromised data included personally identifiable information (PII) such as full names, email addresses, financial information, health records and phone numbers. The largest set of information was credited to QQ Messenger, and the second largest was 504 million records credited to social media giant Weibo – although it is likely they came from previous leaks.
The largest dataset without a known major leak came from JD.com (Jingdong), a Chinese e-commerce company, with researchers discovering a staggering 142 million JD.com records in this case.
No clear indication of ownership
While some data has apparently been exposed in previous data breaches, much of the information was “undoubtedly” compromised for the first time in this incident. This dataset is most likely a mix of known exposed information and recently leaked data that was all gathered on a (now closed) Elasticsearch server.
According to the researchers, the server was exposed for “several months” but was shut down following several disclosure notices.
The exposed instance shows “no clear indication of its true ownership”, which the researchers say suggests there could be malicious intent behind the collection of such a “vast and diverse” dataset.
A vast data set gives malicious actors ample scope to carry out targeted attacks such as account takeovers, sophisticated social engineering attacks, and identity theft.
While the scale of the incident is enormous, it is potentially only the second data breach of this scale in recent history, demonstrating the need for greater protection for businesses around the world.
