What Happens When an Elasticsearch Cluster Exposes 2.7 Billion Emails?

On December 12, 2019, a new Elasticsearch data breach was discovered less than two weeks after a previous incident, exposing 2.7 billion email addresses, 1 billion email‑password pairs, and an application containing nearly 800 thousand copies of U.S. birth certificates.

Researchers found that over the past year many companies unintentionally left Amazon Web Services S3 buckets and Elasticsearch clusters publicly accessible without proper security controls.

Bob Diachenko, Director of Threat Intelligence at Security Discovery, reported that the Elasticsearch database contained over 2.7 billion email addresses, many from Chinese providers such as Tencent, Sina, Sohu, and NetEase, as well as Yahoo, Gmail, and Russian domains. Some of the compromised credentials were linked to a 2017 breach that was later sold on the dark web.

The Elasticsearch server belonged to a U.S. hosting center that was shut down on December 9 after the security report, but it had been openly accessible for at least a week, allowing anyone to query it without authentication.

Diachenko noted this may be the largest breach he has seen, surpassing previous incidents like the 275 million Indian citizen database he uncovered in 2018.

Although the validity of the 2.7 billion email addresses cannot be confirmed, their illicit origin is clear, and enterprises often underestimate the risk posed by exposed email accounts, which are prime targets for phishing and account takeover.

The stolen emails were stored with MD5, SHA‑1, and SHA‑256 hashes, likely to facilitate searching, suggesting that someone may have purchased the database and misconfigured it to be publicly available.

In a related finding, UK penetration‑testing firm Fidus Information Security discovered an AWS S3 bucket containing nearly 800 thousand U.S. birth‑certificate applications and, separately, a database of 94 000 death‑certificate applications. The bucket lacked password protection and was fully readable via its URL.

The exposed data included names, dates of birth, addresses, email addresses, phone numbers, and other personal details, with the bucket remaining publicly accessible despite multiple reports to Amazon’s security team.

These incidents illustrate how publicly exposed cloud storage can enable attacks such as targeted phishing and identity theft. Bitglass CTO Anurag Kahol advises organizations to maintain full visibility and control over customer data, implement real‑time access controls, encrypt data at rest, and configure cloud security settings that can detect misconfigurations.