An Australian football fan site has been found leaking 70 million records, including users’ personal details and racist private messages, via an unprotected Elasticsearch instance.
The 132GB leak was discovered by SafetyDetectives researchers led by Anurag Sen and is linked to BigFooty.com, a website and mobile app dedicated to Aussie Rules Football, which has around 100,000 members.
Although the information found in the leak wasn’t always personally identifiable as users are mainly anonymous, some of the private messages seen by the researchers contained email addresses, mobile phone numbers and usernames and passwords for the site and live streams.
If discovered by cyber-criminals probing for misconfigured databases, the latter may have been useful for credential stuffing attacks on other sites.
Some user messages featured in the leak contained personal threats and racist content, which could be used by hackers to blackmail the individuals, SafetyDetectives argued.
“Private messages are fully exposed in the leak and can be traced back to specific users. This includes some high-profile users such as Australian police officers and government employees,” it said.
“Private information belonging to such individuals, including chat transcripts and email addresses, were found on the database which thereby creates a significant vulnerability in terms of potential blackmail and other reputational damage that could be caused.”
Technical data relating to the site including IP addresses, access logs, server and OS information and GPS data were also leaked, potentially allowing hackers to compromise other parts of the IT infrastructure, the firm added.
Although BigFooty didn’t respond to outreach from Sen and his team, the leak was closed shortly after they contacted government agency the Australian Cyber Security Center.
Source: Read More