Threat actors got to a database with over 152,000 customer records before its owner, the Turkish branch of Harvard Business Review, closed it. Crooks left a ransom note, threatening to leak the data and inform authorities of the EU’s General Data Protection Regulation (GDPR) violations.
A recent discovery by the Cybernews research team is a stellar example of how open databases pose a great risk to businesses and consumers alike.
- On September 16, Cybernews discovered an open database belonging to a Harvard Business Publishing licensee in Turkey called Infomag.
- Three days later, Cybernews researchers revisited the database to see whether it had been closed, and found it had been hit with ransomware.
- An attacker asked for a 0.01 BTC (about $200) ransom, threatening to start leaking data and warning about huge fines related to the potential GDPR violations.
- A Cybernews investigation revealed that at least five victims acceded to the cybercriminals’ demands. However, the last payment to the attackers was made on July 31, so there’s no evidence of Infomag having paid the ransom.
On September 16, researchers discovered an unprotected MongoDB instance owned by infomag.com.tr – an independently owned and operated licensee of Harvard Business Publishing (HBP), a wholly-owned subsidiary of Harvard University.
According to its website, Infomag publishes Bloomberg Businessweek and Harvard Business Review in Turkish.
Hosted in Turkey, the database was 3.9GB-strong and had over 19.5 million records, although there were some duplicates and some data wasn't sensitive.
In total, the database leaked over 152,000 pieces of information pertaining to customers, such as emails, names, links to LinkedIn, Twitter, and Facebook profiles, and hashed passwords. Some were protected by a fragile encryption algorithm like MD5, but others were encrypted using bcrypt, considered a strong hash.
The instance also contained 15 employee emails, names, and passwords protected by a weak SHA1-128bit hash. Some credential pairs belonged to Harvard Business Review English (@hbr.org) users.
The oldest entry goes as far back as 2017, and it is unclear how long this instance had been open prior to the Cybernews discovery.
The dataset also contained payment logs with emails, dates, bank names, phone numbers, and internet protocol (IP) addresses. Infomag also stored physical addresses of some companies and private individuals, as well as company tax numbers.
- The 3.9GB-strong database held information from 2017 onwards.
- The database contained 15 employee emails, names, and poorly protected (SHA1-128bit) passwords.
- The database index marked “Users” contained over 152,000 entries: names, emails, links to social media profiles, and passwords, some of which were hashed using a very weak MD5 algorithm.
- The “Orders” index stored names, physical addresses, payment types, and phone numbers of both companies and individuals. It also had organizations’ tax numbers.
Given a considerable portion of the stored passwords were hashed using weak password-hashing functions (MD5 or SHA1), they could easily be decrypted and used for credential-stuffing attacks.
SHA1 (Secure Hashing Algorithm 1) has been broken since 2004 and can be breached quickly by criminals at relatively little cost. MD5 is an even weaker algorithm, reportedly first compromised back in 1996.
Moreover, the database contained physical addresses – paired with names, email addresses, and phone numbers, this information could be used for identity theft or harassment.
The open instance also contained some information that could harm the company itself. For example, the “Admin” indice revealed that some employees had permission to edit the Harvard Business Review Turkey (hbrturkiye.com) website. Employee emails and credentials could be used to modify the website without confirmation, or to access additional resources connected to the internet.
In the wrong hands, the database could also harm Infomag’s licensor – Harvard Business Publishing – as it contained some of the credentials belonging to hbr.org addresses.
On September 19, Cybernews researchers went back to check whether the database was still open and learned that it had been hit by a ransomware attack, meaning that criminals found the dataset before its owner had a chance to close it.
Crooks left a note, asking for a ransom in Bitcoin and threatening to contact authorities that might fine the company for potential GDPR violations.
“You must pay 0.01 BTC to [wallet address] 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! [sic]” the note reads.
It further gives the victim instructions on where and how to buy Bitcoin. Upon further investigation, the Cybernews team found that the wallet address mentioned in the note had nine transactions, with five seemingly being from victims transferring 0.01BTC – precisely the ransom amount demanded by the crooks.
However, the last transaction to the criminals’ wallet was made on July 31, suggesting Infomag hasn’t caved in to their demands.
We’ve reached out to both Infomag and Harvard Business Publishing for more details about the incident. Harvard Business Publishing reacted instantly, pointing out that, while Infomag is only a licensee, they take these matters seriously and have made the Turkish company aware of the information that Cybernews provided. We’ve repeatedly contacted Infomag, too, but they have yet to respond.
Proper encryption is key
Data breach monitoring platform Breachsense has indexed over 25 billion leaked credentials. Its founder Josh Amishav-Zlatin says that when data leaks make the headlines, it’s almost either a misconfigured ElasticSearch, MongoDB, or S3 instance.
“The underlying issue is often a combination of a lack of visibility into the company's assets plus a simple misconfiguration on the server itself,” he told Cybernews.
It could also be a simple misconfiguration where, for example, an IT specialist has mistakenly opened up a port to the outside world and unintentionally exposed data.
“The second common error is associated with application vulnerabilities existing in a customer’s environment that can expose the backend database and allow hackers access,” Tom Neclerio, VP of Professional Services at cybersecurity company SilverSky told Cybernews.
Sensitive data could still stay secure even if unintentionally exposed. However, companies don’t always properly encrypt data, for example using outdated hashing algorithms to protect passwords.
“Exposing sensitive data or allowing it to get into the wrong hands can have a cascading effect, leading to regulatory and compliance fines, potential lawsuits and legal fines, reputational damage including lost customer confidence, and a financial impact including lost business,” Neclerio said.
The Attack Surface Management team at Group-IB identified 308,000 exposed databases on the open web in 2021.
More from Cybernews:
Subscribe to our newsletter