Over 90 million French records exposed: mysterious data hoarder leaves instances open


A massive leak has exposed 95 million records belonging to French citizens. The compromised phone numbers, email addresses, and partial payment information leave them vulnerable to targeted cyberattacks.

An unknown actor is hoarding personal information from French data breaches and compiling it in one database.

The Cybernews research team, together with Bob Dyachenko, a cybersecurity researcher and owner of SecurityDiscovery.com, uncovered an open Elasticsearch server containing a treasure trove for cybercriminals.

ADVERTISEMENT

Elasticsearch is a tool for data analytics and search in near real-time. This instance, accessible to anyone without authorization, stood out due to a massive index with a mysterious name, “vip-v3.” It contained 95,350,331 documents from at least 17 data breaches and had a total size of 30.1GB.

For comparison, the population of France is 67.79 million.

“This database is dedicated to compiling information from multiple French-related data breaches and includes previously known and unknown leaks,” researchers said.

In most cases, the exposed data included full names, phone numbers, addresses, emails, IP addresses, partial payment information, and many more data points.

data-leak-french

“Likely, a threat actor collected a range of data from well-known companies and services breaches. The exposed files cover telecommunications, e-commerce, social media, and other sectors, reflecting the widespread nature of a breach,” the researchers said.

The owner of this database is unclear. The cluster appears to be exposed unintentionally due to misconfiguration or error.

“The sheer volume of records and the focus on a single country adds to the severity of the exposure. It potentially affects millions of individuals and companies in France and could lead to higher risk of identity theft, fraud, and other malicious activities,” Cybernews researchers said.

ADVERTISEMENT

The cluster is hosted by a small French hosting company. This indicates that European data protection regulations (GDPR) should apply. European law requires explicit user consent for collecting and storing personal data.

What was in the leak?

The leak comprises at least 17 parts, each corresponding to a separate likely data incident. While the exposed file names suggest potential companies involved, Cybernews cannot verify the data's authenticity and confirm that these incidents occurred.

The 17 files in the data chest were as follows:

  • Lyca scrappe.txt. Likely refers to scraped data from Lycamobile, a mobile network operator.
  • Pandabuy-Email.txt. Appears to be related to Pandabuy, possibly a breach involving customer email data.
  • darty.com.txt. May refer to a breach involving Darty, a French electronics retailer.
  • discord_1_2024.txt. Indicates a potential breach or scrape related to Discord, a popular communication platform.
  • dvm.txt. The specific company is unclear. It may relate to a service or entity with the initials DVM.
  • electro-depot.fr.txt. Points to an alleged breach involving Electro Depot, a French electronics and appliance retailer.
  • db_vandb.txt. Likely related to V and B (Vins & Bières), a French retailer of wine and beer.
  • Snapchat SQL.txt. Suggests a breach involving Snapchat, particularly data extracted via SQL queries.
  • frsfr.txt. Unclear, may relate to a French service with the abbreviation “FRS.”
  • go-sport.com-export.txt. Refers to Go Sport, a French sporting goods retailer.
  • intersport-scrapped.fr.txt. Indicates scraped data from Intersport, another sports goods retailer in France.
  • ldlc.txt. Points to an alleged compromise involving LDLC, a French online electronics retailer.
  • corsegsm.com.txt. Related to Corse GSM, a Corsican mobile operator.
  • pinterest.txt. Refers to Pinterest, the social media platform.
  • minecraft.fr-forum.txt. Indicates a compromise allegedly involving a French Minecraft forum.
  • sfr.fr.txt: appears to be related to a breach involving SFR, a major French telecommunications company.
  • shadow.tech.txt. Refers to Shadow, a cloud computing service.

Additionally, researchers on a related IP address also discovered other files that were exposed, likely related to other cybersecurity incidents.

  • sport2000_a.txt. The information that was exposed likely refers to Sport 2000, a sporting goods retailer.
  • wakanim.txt. Indicates a leak from Wakanim, an anime streaming service.
  • rinaorc_authme.txt. Suggests the data is from Rinaorc, a Minecraft server or service using the AuthMe plugin for authentication.

“A variety of companies from different sectors reflect the widespread nature of the breach,” the researchers said.

french-leak-passwords
ADVERTISEMENT

Sensitive information can lead to potential harm

It’s highly unlikely that any legitimate data processor operating within the EU left the data unprotected.

“Such an amount of data cannot be collected, acquired, and combined legally without user consent, given the regulation in the EU. And the data was left exposed without any security measures. This suggests that the database owner, in clear disregard of GDPR, may have malicious intent,” the researchers said.

Since the database has been publicly accessible for an extended period, it’s highly likely that other malicious actors have already copied the data and may be using it for criminal activities.

The immediate and concerning risks for the exposed individuals include becoming targets for identity theft and fraud. Email addresses, paired with other sensitive details, can be used to craft personalized spearphishing attacks.

Threat actors can use the data for account hijacking or impersonating individuals in social engineering attacks.

“Companies involved in these breaches can suffer reputational damage, especially if breaches were previously undisclosed,” the researchers warn.

They recommend that companies strengthen their cybersecurity posture by implementing the following measures:

  • Use secure data storage: Enforce strong authentication and access controls.
  • Conduct regular security audits: Monitor cloud infrastructure to identify and mitigate vulnerabilities.
  • Disclosure and communication: Notify affected companies and individuals promptly about the exposure and provide guidance on protecting their data.
  • Limit data collection: Collect only what’s absolutely necessary for business operations.
  • Review data aggregation practices: Reassess the security and necessity of aggregating large datasets.
  • Ensure compliance with GDPR: As well as other relevant data protection regulations.
  • Implement breach detection mechanisms: Detect unauthorized access or misconfigurations in real-time.

Updated on September 27th [08:30 a.m. GMT]: Due to an oversight in our reporting process, this article was published prematurely, before the situation was properly addressed. This mistake resulted from miscommunication among the various parties involved in the research. We sincerely apologize for the error. We are implementing stricter verification processes to prevent such mistakes in the future. We remain committed to responsible reporting and upholding the highest standards of research integrity. We also want to thank those who noticed ongoing exposure and brought it to our attention, enabling swift resolution.

ADVERTISEMENT