Personal data of tens of millions of Russians and Ukrainians exposed online

The treasure trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870 million records or 147 GB of data.

The SafetyDetectives security team led by Anurag Sen shared details of a misconfigured Elasticsearch server that exposed the data of millions of loan applicants. The data mainly belonged to people from Ukraine, Kazakhstan and Russia who had applied for microloans.

The server was randomly detected on December 5, 2021, while checking some IP addresses, but the details of it were only shared this week. The anonymous server was not secure or protected because it had no authentication protocol, which resulted in the leaking of more than 870 million records or 147 GB of data.

Identity of the owner not yet available

SafetyDetectives could not determine who owned the server. However, the researchers noted that the customer logs of many microloan provider websites were stored on the server, but most were not from financial services like lenders or banks. Instead, these websites belonged to third parties who are intermediaries between the loan company and the applicant.

Most of the server log entries were in the Russian language, while most of the data belonged to Russians. Therefore, the researchers concluded that the owner of the server is a Russian entity.

Details of exposed data

According to SafetyDetectives researchers, various forms of personally identifiable information (PII) and sensitive user data were exposed in this leak, including details of users’ “internal passports” and other forms of data.

It should be noted that in Russia and Ukraine internal passports are used as a substitute for national identity cards and are used in the territories of the country. According to SafetyDetectives blog postthe internal passport details contained in the exposed server include the following user information:

  • sex
  • Marital status
  • Date and place of birth
  • The physical address, including city and region
  • Full name with first name, surname and surname
  • Passport number with issue/expiration dates and serial number

Some of the exposed data, such as cities, names, addresses, and locations, was written in Cyrillic script, which is primarily used in parts of Asia and Europe.

In some cases, this information has been decoded into certain symbols. Other PII information exposed by the untrusted server includes the following:

  • Salary
  • Number of children
  • Loan details
  • Mobile numbers
  • Email addresses
  • Employment status
  • Education Information
  • OTP Login SMS Codes
  • DCI (tax identification numbers)

How many users affected?

Around 10 million users are expected to be affected by this exposure. Many server logs and passport numbers belonged to Russians, while most ICDs belonged to Ukrainians. The server was located in Amsterdam, the Netherlands.

SafetyDetectives contacted Russian CERT on December 14, 2021 and Dutch CERT on December 30, 2021. However, both refused to help. The server host was contacted on January 13, 2022, who secured the server the same day.

Potential Hazards

Given the scope and nature of the data exposed, the incident may have far-reaching implications. Such as bad actors can download the data and perform identity theft, phishing scams, fraudulent marketing campaigns and microcredit identity fraud.

More Elasticsearch Database Mess

  1. 9,517 insecure databases identified with 10 billion records worldwide
  2. New malware attack turns Elasticsearch databases into DDoS botnet
  3. Stripchat database mess exposes 200 million adult cam models and user data
  4. US and China exposed most databases among 308,000 discoveries in 2021
  5. Misconfigured ElasticSearch servers exposed 579 GB of user website activity

Comments are closed.