The world’s largest webmaster forum suffered a massive data leak this year compromising the info of 863,412 users, said Website Planet. The breach was caused by an unprotected database containing the portal’s records.
The forum, which has a whopping 62,858,114 records, describes itself as “the internet’s biggest webmaster forum.” In its LinkedIn profile, it said, “Thousands of freelancers earn their lives with Digital Point forums.” Users include freelancers, service providers, and other professionals.
Website Planet and security researcher Jeremiah Fowler discovered the leak on July 1, 2020. However, the article describing the incident in detail written by Fowler was published on the Website Planet on Monday.
The research team informed Digital Point the day it was discovered. To mitigate the situation, the company restricted access within hours.
The source of the leak is an Elastic database that has been configured to ‘open,’ thus was visible using any kind of browser. Because it is publicly accessible, malicious parties could edit, download, and delete data without administrative access.
Information leaked because of the non-password protected database includes user emails, internal user ID numbers, names, user posts, and other internal records. Website Planet noted that such info could be used by cybercriminals to harm users.
According to Data Point, this breach can result in domain hijacking, email-based malware attacks, social engineering, and targeted phishing attempts. Risks for ransomware, middleware, and hacking are also increased.
Regarding the potential harms, Fowler noted that “this dataset would have been a treasure chest of information for domain hijackers,” especially with many users using generic emails such as ‘admin@’ or other similar ones.
ZDNet also noted that the dataset “could have become one of many to succumb to Meow Bot, an automated script that was responsible for the compromise of thousands of unsecured MongoDB and Elasticsearch databases in July.”
When the Meow Bot script was implemented, it takes over the database and shows only numbers and the word “meow.” Website Planet also remarked that Meow Bot was able to wipe out records by the thousands in just a short span.
Aside from the potential risks to the users and their information, the unprotected dataset could also result in the compromise of the entire network as it was exposed and susceptible to attacks.
Both Website Planet and ZDNet got in touch with Digital Point for comments and updates. No reply has been given as of writing.