Huge Amount of Data Exposed. UK’s ‘Telegraph’ Under Scrutiny.
One of UK’s largest newspapers and online media outlets, ‘The Telegraph’ has exposed 10 TB of data including sensitive information of subscribers like their names, email addresses, internal logs, device info, URL requests besides IP addresses, authentication details and unique identifiers.
An eminent researcher, Bob Diachenko, who stumped upon this anomaly sometime in September, has revealed that a dataset of at least 1200 unprotected and unencrypted contacts was lying in full view including information of Apple News subscribers. The dataset could easily be accessed without a password. He said that a significant portion of the records was unencrypted. In his estimate, the data remained in that position for at least three weeks which is plenty of time to fall prey to hackers.
Ordinarily, hackers and automated scanners would not spare any moment to exploit such a rare opportunity but strangely, no breach from anywhere occurred and no trace was found to suggest that data was manipulated.
Diachenko, promptly alerted The Telegraph about the risks of this negligence. But the media entity took two days to respond to the information provided by the researcher. After the wait, the IT department at The Telegraph took necessary steps to secure the database and informed the affected subscribers, whose data was exposed, to be on the lookout for possible phishing and scams. Diachenko warned that the names and emails that remained exposed for weeks could be used to send targeted scam messages. Any click on the provided link would let the attackers to infiltrate the system and cause widespread damage.
The conclusion to draw is that the primary risk is that those whose names and addresses remained exposed for several weeks may receive spam and phishing emails. The attackers may also get their hands on the leaked URL request which can create privacy issues. With that information in tow, the attackers can try to construct browsing history and get some idea about the reading habits which may lead to embarrassing situations. Diachenko observed that in the exposed data many of the emails had gov.uk extensions. Any information about the owners of these addresses could lead to more complex and compromising results.
The damage that can ensue for The Telegraph because of the stolen access tokens isn’t very substantial. The access can be utilized by non-subscribers reach areas on the media site which are locked behind its paywall. But there is an easy solution to this problem if at all it arises. All one needs is a reset.
In an attempt to restore confidence of the subscribers, The Telegraph issued the following statement: “We became aware of this discovery on 16 September and took immediate action to secure the data. An investigation showed that only a small number of records were exposed – less than 0.1% of our users and we have contacted all the users to advise them. The investigation also concluded that whilst the data was exposed it was not breached other than the discovery posted by the researcher.
We are grateful for the work of independent researchers who responsibly disclose vulnerabilities and exposures and who are vital in our continued work to protect our assets.”
According to this statement, the number of the impacted individuals is 600, which is less than what Daichenko saw exposed. The Telegraph also states that none of them run any risks of exploitation since Diachenko was the first and last person to access the sensitive dataset.
With the arrival of dedicated search engines such as Censys and Grayhat Warfare, ethical hackers and researchers can easily locate vulnerable data that lie exposed. But the same tools can be used by unscrupulous persons to gain illegal access to personal details and exploit them.
Those who are affected, and even those who do not face any such problem, should stick to one advice: Exercise Caution. And the measures one can take are frequent resetting of passwords and remaining away from emails from strangers.
