ACN - 101321555 Australasian Human Research Ethics Consultancy Services Pty Ltd (AHRECS)
Search
Generic filters
Exact text matches only
Search into
Filter by Categories
Research integrity
Filter by Categories
Human Research Ethics

Resource Library

Research Ethics MonthlyAbout Us

ResourcesHuman Research Ethics1.2 Billion Records Found Exposed Online in a Single Server – Wired (Lily Hay Newman | November 2019)

Australasian Human Research Ethics Consultancy Services Pty Ltd (AHRECS)

1.2 Billion Records Found Exposed Online in a Single Server – Wired (Lily Hay Newman | November 2019)

Published/Released on November 22, 2019 | Posted by Admin on April 7, 2020 / , , , , , , , ,
 


View full details | Go to resource


Here’s the next jumbo data leak, complete with Facebook, Twitter, and LinkedIn profiles.

FOR WELL OVER a decade, identity thieves, phishers, and other online scammers have created a black market of stolen and aggregated consumer data that they used to break into people’s accounts, steal their money, or impersonate them. In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all.

Does your institution have a policy/guidance document on hacked or scraped data?  If not it should.  While the data may be existing and online somewhere, it’s “fruit of a poison tree” in that it was obtained without consent, probably in contravention of a platform’s policies and there is a good chance at least one law has been broken.  At the very least an HREC would need to consider whether a waiver of the consent requirement can be approved.  It would appear to be a very serious source of risk exposure for an institution and a member of the institution’s executive should sign off on the project.

While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. It does, though, contain profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses.
.

“It’s bad that someone had this whole thing wide open,” Troia says. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That’s a lot of information in one place to get you started.”
.

“What stands out about this incident is the sheer volume of data that’s been collected.”
TROY HUNT, HAVEIBEENPWNED
.

Troia found the server while looking for exposures with fellow security researcher Bob Diachenko on the web scanning services BinaryEdge and Shodan. The IP address for the server simply traced to Google Cloud Services, so Troia doesn’t know who amassed the data stored there. He also has no way of knowing if anyone else found and downloaded the data before he did, but notes that the server was easy to find and access. WIRED checked six people’s personal email addresses against the data set; four were there and returned accurate profiles. Troia reported the exposure to contacts at the Federal Bureau of Investigation. Within a few hours, he says, someone pulled the server and the exposed data offline. The FBI declined to comment for this story.

.

Read the rest of this discussion piece



Related Reading

Resources Menu

Research Integrity


Human Research Ethics

0