UK newspaper The Telegraph exposed a 10TB database with subscriber data
The UK media outlet The Telegraph has leaked 10 TB of subscriber data after failing to properly secure one of its databases.
The UK newspaper The Telegraph’, one of the UK’s largest newspapers and online media outlets, has leaked 10 TB of data after failing to properly secure one of its databases.
The popular researcher Bob Diachenko discovered an unprotected 10 TB database belonging to the UK newspaper The Telegraph. The unsecured database was discovered on September 14, 2021, it included internal logs and subscriber information.
The data was stored on an exposed Elasticsearch cluster, most of the data were encrypted, but personal details of at least 1,200 Telegraph subscribers and registrants were in clear test along with a huge trove of internal server logs.
Subscriber data exposed includes full names, email addresses, device info, URL requests, IP addresses, authentication tokens, and unique reader identifiers. The database also included some Apple news subscribers’ or registrants’ passwords.
Diachenko notified The Telegraph the day it discovered the unsecured database, two days later, on September 16, 2021, after not receiving a response he shared the news via Twitter,
First Beeline, now https://t.co/qxvJYTMoOY [@Telegraph] … 10+Tb of data exposed, incl. subscribers info (email, name, IP, device info, tokens). Please reply asap. Emails have been sent.
— Bob Diachenko (@MayhemDayOne) September 16, 2021
The newspaper’s security team secured the data the same day.
“Evidence suggests the data was left unprotected for about three weeks, since September 1st. We do not know if any unauthorized parties accessed it during that time, but our honeypot experiments show attackers can find and steal data from unprotected databases in just a few hours after they’re exposed.” “The data was generated from an internal logging server for *The Telegraph*.co.uk website.” wrote Diachenko. “The instance was indexed on specialized search engines on September 1, 2021, so the period of exposure is at least three weeks. That’s plenty of time for attackers and automated scanners to find the exposed database and exfiltrate the contained data.”
Experts recommend impacted visitors to reset the password, remain vigilant and look out for unsolicited messages that could ask them to click on links or open attachments.
Below is the statement sent by The Telegraph to Diachenko:
“We became aware of this discovery on 16 September and took immediate action to secure the data.
An investigation showed that only a small number of records were exposed – less than 0.1% of our users and we have contacted all the users to advise them. The investigation also concluded that whilst the data was exposed it was not breached other than the discovery posted by the researcher.
We are grateful for the work of independent researchers who responsibly disclose vulnerabilities and exposures and who are vital in our continued work to protect our assets.”
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine