Le Figaro, a French daily newspaper exposed around 7.4 billion records containing personally identifiable information of reporters and employees and also of at least 42,000 users.
The data was exposed due to an unsecured database owned by Le Figaro which contains more than 8TB of data. Due to a misconfigured Elasticsearch server it was publicly accessible.
Le Figaro website is the most visited news site in France and it has more than 23 million monthly unique viewers.
The database was discovered by a Security Detectives team lead by security researcher Anurag Sen. The database contained records with info about accounts registered between February and April 2020 and also records of pre-existing user accounts that were logging in during that period.
The PII data of pre existing users were leaked, while for new users the login details were also exposed.
According to the researchers, the PII data exposed included emails, full names, home addresses including countries of residence and ZIP codes, passwords in plain text hashed using MD5, as well as IP addresses and tokens used for access to internal servers.
All the details were stored in Le Figaro’s database as API logs of the newspaper’s mobile and desktop websites.
Even though the actual number of users, journalists, and employees whose data was exposed is not known, the researchers estimated that at least 42,000 records were exposed by this server.
The database also contained a lot of technical logs containing information about Le Figaro’s backend servers and other info which if gets in the hand of an attacker could easily use it to launch a successful attack against the newspaper.
What makes this worse is that the database was completely exposed to the public without the need of any password to access. It.
The data exposed by this misconfigured Elasticsearch server could be used by attackers to perform identity theft and fraud, for credential phishing attacks on other sites, to launch spear-phishing attacks against Le Figaro’s users, journalists, and employees, and as a starting point for a cyberattack on Le Figaro’s network and backend servers.
All the database admins are recommended by Elastic NV to secure their ElasticSearch stack by encrypting communications, role-based access control, IP filtering and auditing by setting up passwords for built-in users, and by properly configuring the clusters before deployment.