Media conglomerate Thomson Reuters Corp. has been found to have exposed more than 3 terabytes of sensitive customer and corporate data, the latest company to fail in applying basic security to its hosting solutions.

Discovered by researchers at Cybernews and announced today, the data was found on public-facing ElasticSearch databases. The content of the databases, which surprisingly also included plaintext passwords to third-party servers, primarily consisted of logging data collected through user-client interactions.

The data collected includes documents with corporate and legal information about specific businesses and individuals. In one example, an employee of a company was looking for information about an organization in Russia using Thomson Reuters services, only to find out that its board members were under U.S. sanctions over their role in the invasion of Ukraine.

The Cybernews researchers also discovered one of the open databases included the internal screening of other platforms such as YouTube, Thomson Reuters clients’ access logs and connection strings to other databases. The exposure of connection strings is noted to be particularly dangerous because Reuter’s internal network elements were exposed, giving threat actors the ability to move laterally and pivot through internal systems.

Finally, the researchers also found login and password reset logs. While not exposing old or new passwords, the logs show the account holder’s email address and the exact time the password change query was sent.

Thomson Reuters has tried to downplay the data exposure, claiming that out of the three exposed servers found, two were designed to be publicly available and the third was a non-product server meant for “application logs from the pre-production/implementation environment.”

The researchers warn that the data is likely worth millions of dollars on underground criminal forums. It was exposed for several days, giving ample time for malicious bots to discover and steal the data. The data in the exposed databases could be used for social engineering attacks and ransomware, among other potential attack vectors.

“It’s concerning that the dataset was open for so long,” Benjamin Fabre, co-founder and chief executive of bot protection company DataDome SAS, told SiliconANGLE. “Threat actors — and the malicious bots they deploy — are opportunistic and can wreak havoc very quickly once they get ahold of sensitive data.”

Fabre added that “bots can (and will) leverage personally identifiable information to conduct all sorts of attacks, including account takeover, credential stuffing, carding and more. This likely won’t be the last we hear of this breach.”

“Once an organization or industry is viewed as vulnerable, threat actors will continue to bombard that organization or industry until they successfully identify an exploitable gap,” added Jerrod Piker, competitive intelligence analyst at cybersecurity company Deep Instinct Ltd. “Once in, threat actors will do everything they can to establish persistence and maximize their damage or profits.”

Image: Thomson Reuters