Security gaffe left tens of thousands of golf enthusiasts’ data up for grabs, sparking serious security concerns.
Digital networking opens doors, but oversharing online can be a hacker’s jackpot. The Cybernews research team has identified an unprotected Elasticsearch instance leaking personally identifiable information (PII) of over 60,000 people.
The data is associated with Golfhubber, a UK-based company that provides a digital platform for golf clubs and businesses to connect with professional and amateur players.
What Golfhubber data was leaked?
- Dates of birth
- Emails
- Full names
- Gender
- Usernames
- Mobile phone brand names
- Mobile phone IMEI
- Mobile phone OS versions
Attackers could access internal systems
Along with the user's personal data, the open instance also exposed critical API credentials, including usernames, passwords, and emails. While our researchers have not verified what access the leaked credentials provide, if they grant control over Golfhubber's systems, it could pose significant risks.
For example, cybercriminals could take over Golfhubber systems, and change important information, in this way violating the integrity of the data.
Furthermore, the leak contained MinIO credentials, including usernames and passwords. MinIO is an open-source object storage system designed to store unstructured data.
The platform is compatible with Amazon S3 cloud storage, which means that malicious actors could potentially gain access to all data stored within the system by exploiting MinIO credentials.
Accessing the entire system might be hazardous, as attackers could copy sensitive data such as personal user data, business documents, backups, and media files. Worse still, attackers could delete critical data, leading to substantial data loss.
Users are at risk of account hijack
Attackers could utilize leaked user emails and other personal data to craft convincing phishing campaigns, potentially harming Golfhubbers’ clientele.
By pretending to be company representatives, cybercrooks could trick users into handing over more sensitive information, such as login information to financial institutions or credit card details, which could lead to more substantial damages.
Threat actors could also use leaked usernames, for brute-force attacks to hijack user accounts on Golfhubber. It is especially dangerous for users who use weak passwords.
Meanwhile, leaking phone IMEIs is extremely dangerous. Consisting of a unique 15-digit number, they are like fingerprints on every cell phone. Attackers could use stolen IMEIs on their own devices, leading to unauthorized access to mobile networks and services.
Cybernews contacted the company, and access was secured. The data was initially discovered by IoT search engines on July 16th, meaning it remained accessible to anyone on the internet for nearly three months. The company has yet to provide an official comment.
- Leak discovered: July 19th, 2024
- Initial disclosure: August 12th, 2024
- Closed: October 3rd, 2024
Your email address will not be published. Required fields are markedmarked