A server containing information of users of a genealogy service has exposed the data of 60,000 users, putting them at risk for fraud, phishing and other cybercriminal activity.
Research led by Avishai Efrat at WizCase has discovered the leak, which affected an open and unencrypted ElasticSearch server that belonged to Software MacKiev, according to a report posted online by Chase Williams, a web security expert at WizCase.
Software MacKiev currently maintains the Family Tree Maker, or FTM, software, which in turn syncs user data of a widely-known family history search platform, Ancestry.com.
The leak exposed a MacKiev server with 25 gigabytes of Ancestry user data and MacKiev Software user subscriptions, including information such as email addresses, user location, user support messages and technical data. Most of the users whose data was leaked appear to be U.S. residents, according to the report.
“The leaked data could have given cybercriminals and scammers access to user personal information, putting many people in great risk of having their credentials used against them,” Williams wrote in the report.
The reason for the leak appeared to be misconfiguration of an ElasticSearch server, once again highlighting the importance of ensuring that data stored in the cloud is secure and free from common security mistakes, experts noted.
“The reality is that we are going to continue to see these types of configuration errors that result in data loss occurring over and over again; you have to find a way to constantly assess your cloud security posture,” said Pravin Kothari, founder and CEO of cloud security firm CipherCloud, in an email to Threatpost.
Given how much data is now stored in the cloud, experts said the leak demonstrates that a data-centric approach to security should be a priority among other approaches that protect only the network environment or other aspects of the cloud.
“No matter how much effort and investment are poured into securing the borders of their data environment, sensitive data inevitably will wind up in the wrong hands — either through intentional intrusion and theft, unintentional distribution, or pure lack of oversight,” noted Trevor Morgan, product manager at data security firm comforte AG, in an email to Threatpost. “Data-centric security addresses the need for security to travel with the data it protects, rather than merely securing the boundaries around that data.”