Media conglomerate Thomson Reuters Corp. has been found to have exposed over 3TB of sensitive customer and corporate data, the latest company to fail in applying basic security to its hosting solutions.
Discovered by researchers at Cybernews, the data was found on public-facing ElasticSearch databases. The content of the databases, which surprisingly also included plaintext passwords to third-party servers, primarily consisted of logging data collected through user-client interactions.
The data collected includes documents with corporate and legal information about specific businesses and individuals. In one example, an employee of a company was looking for information about an organization in Russia using Thomson Reuters services, only to find out that its board members were under U.S. sanctions over their role in the invasion of Ukraine.
The Cybernews researchers also discovered one of the open databases included the internal screening of other platforms such as YouTube, Thomson Reuters clients’ access logs and connection strings to other databases. The exposure of connection strings is noted to be particularly dangerous as Reuter’s internal network elements were exposed, giving threat actors the ability to move laterally and pivot through internal systems.
Last but not least, the researchers also found login and password reset logs. While not exposing old or new passwords, the logs show the account holder’s email address and the exact time the password change query was sent.
Thomson Reuters has tried to downplay the data exposure, claiming that out of the three exposed servers found, two were designed to be publicly available and the third was a non-product server meant for “application logs from the pre-production/implementation environment.”
The researchers warn that the data is likely worth millions of dollars on underground criminal forums. The data was exposed for several days, giving ample time for malicious bots to discover and steal the data. The data in the exposed databases could be used for social engineering attacks and ransomware, among other potential attack vectors.
“It’s concerning that the dataset was open for so long,” Benjamin Fabre, co-founder and chief executive officer of bot protection company DataDome SAS, told SiliconANGLE. “Threat actors – and the malicious bots they deploy – are opportunistic and can wreak havoc very quickly once they get ahold of sensitive data.”
Febre added that “bots can (and will) leverage personally identifiable information to conduct all sorts of attacks, including account takeover, credential stuffing, carding and more. This likely won’t be the last we hear of this breach.”
Jerrod Piker, competitive intelligence analyst at cybersecurity company Deep Instinct Ltd. warned similarly, saying that “threat actors are extremely ruthless when it comes to exploiting weaknesses in organizations.”
“Once an organization/industry is viewed as vulnerable, threat actors will continue to bombard that organization or industry until they successfully identify an exploitable gap,” Piker explained. “Once in, threat actors will do everything they can to establish persistence and maximize their damage and/or profits.”
Image: Thomson Reuters
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.