There are many reasons for data to be leaked online. It’s either someone hacked a server, the database password is weak and circumvent-able, and carelessness.
In the case of the latest data leaked that has affected the education and science giant, Elsevier, it’s more likely the latter. Elsevier, the company that owns scientific journals like The Lancet, left one of its servers open for the public to access, exposing emails and passwords of its users. The leak has impacted users from universities and other educational institutions around the world.
Until now, it is not entirely clear how long the server has been exposed or how many entities had been able to access it as well as how many accounts were affected, but it provided a long list of passwords and password reset links when a user requested to change their login credentials.
“Most users are .edu [educational institute] accounts, either students or teachers,” Mossab Hussein, the chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. “They could be using the same password for their emails, iCloud, etc.”
The data was viewable via Kibana, a popular software tool for visualizing and sorting data. According to reports, as they verify if the database was active, Hussein was asked to reset his password to a specific phrase. As expected, the newly rebooted password appeared as plain text on the exposed password, proving that it was active.
It was only then that Elsevier secured the misconfigured server. An Elsevier spokesperson told Motherboard in an emailed statement that “The issue has been remedied. We are still investigating how this happened, but it appears that a server was misconfigured due to human error. We have no indication that any data on the server has been misused. As a precautionary measure, we will also be informing our data protection authority, providing notice to individuals and taking appropriate steps to reset accounts.”
In the past, Elsevier has become notorious and controversial after it acquires some platforms that distributed educational materials for free. Since Elsevier is a profit-driven company, it threatened other sites that openly host millions of scientific content with lawsuits and have forced them to operate in the digital underground, distributing materials with the protection of the Tor anonymity network. Because of this, many universities and academic institutions have boycotted Elsevier and its partners.
DATA ARE LEAKED AT AN ALARMING RATE
For the past few weeks, countless data breaches have been reported at an alarming rate and span across different industry and institutions. According to Victor Gevers, a cybersecurity expert who discovered multiple unprotected databases online, many databases are available for public consumption even to those that have only basic hacking and computer skills. These databases contain information that is similar to other vulnerable databases that he and his team have uncovered in the past.
A hacker who has previously sold sensitive information of more than 800 million users in the dark web has once again opened a fourth franchise of the data that he illegally collected from different corporations with weak cybersecurity protocols. Gnosticplayers has put up for sale the data from six different companies, totaling to 26.42 million user data and records, for which he is exchanging to anyone who can pay him/they with 1.2431 bitcoin ($4,940.00).
Yesterday, the hacker published a new batch of files from six new companies such as the game dev platform, GameSalad, Brazilian book store, Estante Virtual, online task manager and scheduling apps, Coubic and LifeBear, Indonesia e-commerce giant Bukalapak, and Indonesian student career site, YouthManual.
According to the hacker, the main reason that the data are on sale right now is that the said companies have failed to protect their own data and passwords with robust encryption algorithms like bcrypt.
Gnosticplayers said that most of the hash passwords that he has put on sale today could be cracked with various levels of difficulty – but they can be cracked.
“I get upset because I feel no one is learning,” the hacker said to Catalyn Cimpanu, ZDNet’s tech correspondent, through an online chat today. “I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.”
Previously, the hacker said in an interview that he was planning to sell more than one billion worth of data and disappear with the money then retire and disappear with the money.