10 billion records exposed in unsecured databases, study says

Researchers have found close to 10.5 billion pieces of consumer data that has been left sitting in almost 10,000 unsecured internet-facing databases hosted across 20 countries. The data is said to include email addresses, passwords, and phone numbers.

The study was conducted by NordPass between June 2019 and June 2020 in cooperation with an unnamed white hat hacker, who scanned the web for Elasticsearch and MongoDB libraries in search of misconfigured databases.

It’s worth noting that three countries accounted for most of the exposed records, with France bearing the brunt (5.1 billion detected entries). China followed on 2.6 billion records and the United States came in third with 2.3 billion data points. When it comes to countries with the largest numbers of ill-configured databases, China came first (4,000), followed by the US (3,000) and India (500).

Since the information is stored in unprotected databases, cybercriminals would have to put in little to no effort to gain access to the data. With the records in hand they could wreak all sorts of havoc on their victims.

For example, the pilfered data could be used for social engineering attacks that are ultimately aimed at draining your bank accounts or at breaking into your other accounts. These attacks pay dividends especially if you recycle your passwords across various online services.

The stolen information could also be used to conduct (spear)phishing attacks that could lead to hundreds of thousands of dollars in losses, as one Premier League club almost found out recently. In other scenarios, miscreants could sell the data on the dark web, extort the victims or, as the recent ‘Meow’ attacks have shown, some data could simply be replaced with random garbage. Passwords are the bare minimum the admins should have used to secure the databases.

RELATED READING: Five tips for keeping your database secure

It’s worthwhile to remind ourselves of some account security basics, which include using unique and strong passwords or passphrases, potentially with the help of a password manager. It’s also highly advisable to use two-factor authentication, which adds an extra layer of security in exchange for very little effort. If you ever suspect that something is amiss with your accounts, you can also check out our handy guide on how to check if your password has been stolen.