The Telegraph newspaper managed to leak 10TB of subscriber data and server logs after leaving an Elasticsearch cluster unsecured for most of September, according to the researcher who found it online.
The blunder was uncovered by well-known security researcher Bob Diachenko, who said that the cluster had been freely accessible “without a password or any other authentication required to access it.”
After sampling the database to determine its owner, Diachenko saw the personal details of at least 1,200 Telegraph subscribers along with a substantial quantity of internal server logs, he told The Register.
“A significant portion of the records were unencrypted,” he said. Screenshots he provided showed information including the user-agent string and device type, while categories of personal data included subscribers’ first and last names, email addresses, subscriber status, IP addresses and device type and operating system.
Affected users “should be on the lookout for targeted phishing and scams,” Diachenko advised. “Names and emails in the database can be used to send readers targeted scam messages.”
Aside from potential scam emails, the risk from this breach is relatively low unless having your news-reading habits collated in one place might cause professional embarrassment: Diachenko highlighted that in the data sample he viewed were a handful of gov.uk email addresses.