What Happens When an Elasticsearch Database Exposes 2 Million Sensitive Records?
In July, security researcher Bob Diachenko uncovered an exposed Elasticsearch cluster leaking nearly two million personal records—including passport details and no‑fly indicators—highlighting the severe impact of unsecured Elasticsearch deployments and offering recommendations to prevent future breaches.
Impact of the Data Leak
In July, Security Discovery director Bob Diachenko discovered an exposed Elasticsearch cluster containing almost two million JSON records with highly sensitive personal information such as names, nationalities, genders, birth dates, passport details and a "no_fly_indicator" flag. The server had been indexed by search engines Censys and ZoomEye, indicating that other parties could have accessed the data.
Diachenko’s analysis showed that many fields appear to come from a terrorist watchlist (the Terrorist Screening Center, TSC), while other fields like "tags", "nomination_type" and "selection_indicator" were difficult to interpret. Recognising the national‑security implications, he reported the breach to the U.S. Department of Homeland Security on July 19; the server was shut down three weeks later on August 9, 2021. Notably, the exposed database was hosted on a Bahrain IP address rather than a U.S. one.
Why Elasticsearch Frequently Leaks Data
Elasticsearch, released by Elastic in 2010, is a distributed open‑source search and analytics engine prized for its real‑time search capabilities. However, the open‑source version provides no built‑in data‑protection features, offering only basic firewall protection. This lack of security has led to multiple high‑profile leaks, such as the December 2019 exposure of over 2.7 billion email addresses from Tencent, Sina, Sohu and NetEase, and the May 2020 public access to a Thai telecom’s Elasticsearch database containing about 83 billion records (≈4.7 TB).
Experts recommend mitigating such risks by implementing authentication and authorization, encrypting data in transit, restricting access to internal networks, and establishing robust monitoring and incident‑response procedures to detect and contain breaches promptly.
References:
https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/
https://cloud.tencent.com/developer/article/1580423
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.