A research team at WizCase found an open Elastisearch server that had no encryption or password protection. The server was traced back to a website, VIPgames.com, which is a popular free-to-play card game and board game platform that has over 100,000 Google Play downloads and around 20,000 active daily players. The site features a multitude of games and the developer has multiple similar sites. In the open server, over 30GB of data that included 23 million records were exposed. The researchers at WizCase picked out 66,000 user profiles that included their usernames, email addresses, device details, IP addresses, hashed passwords, social media profiles, transaction details, bets, and other information. The passwords were hashed using a Bcrypt algorithm. Bcrypt hashing is one of the most secure because it is time-consuming to crack, but a diligent attacker could still recover original passwords, especially if players chose common or simple passwords.
Analyst Notes
Attackers will try to use the stolen passwords to perform a credential stuffing attack, where they use the information to attempt to login to multiple sites in hopes that someone used the same password for a more valuable account such as email, social media, online banking or tax preparation. Users are highly recommended to create passwords that are unique to the login and complex through the use of numbers, special characters, and both uppercase and lowercase letters that are not words or names. There are a multitude of password managers available that can assist in picking strong passwords and recording passwords for later retrieval by the user. For companies that use Internet-connected databases, they should perform routine security audits to ensure that they have followed recommended procedures including encryption of data and protecting the server’s administrator accounts with strong passwords and multi-factor authentication. Another best practice to employ for database servers is to limit the IP addresses that can connect to them using strong firewall rules to allow connections from only the web servers that need to access the data, and then only through a validated certificate, strong password or API key.
Source Article: https://www.infosecurity-magazine.com/news/misconfigured-cloud-server-exposes/
