A cybersecurity researcher has discovered an exposed Elasticsearch database with millions of login credentials, Wired reported today.

Jeremiah Fowler found the system on May 6. Usually, Fowler told Wired, it’s possible to identify the operator of such a database by analyzing its contents. That wasn’t possible in this case. He believes that the database was most likely created by hackers to store information stolen using malware.

The exposed Elasticsearch environment contained 184 million records that took up 47 gigabytes of storage space. Those records included login credentials associated with millions of accounts.

Fowler analyzed the database by reviewing a sample of 10,000 records. He found the login credentials of more than 850 Google and Facebook users, as well as hundreds of Roblox, Discord, Microsoft, Netflix and PayPal accounts. The dataset also includes usernames and passwords from numerous other popular services.

There were 220 email addresses with .gov domains in the 10,000-record sample that Fowler analyzed. Those addresses are reportedly associated with government agencies in at least 29 countries including the U.S., UK and Australia.

Elasticsearch, the software that powered the information repository, is a popular open-source search engine. It’s an enhanced version of another open-source search engine, Apache Lucene, with features that make it more scalable. Elasticsearch can be used as a database because it’s capable of storing the records on which it runs search queries.

The platform doesn’t include many of the features associated with conventional databases, notably ACID support. ACID is a set of reliability technologies designed to prevent outages from deleting database entries. Elasticsearch does, however, provide cybersecurity features that can be used to make a database inaccessible via the public web.

Fowler told PCWorld that he uses several methods to uncover insecure databases. One of those techniques involves internet of things search engines. Those are services that discover internet-connected devices and collect technical data such as their IP addresses.

Fowler didn’t uncover any clues about where the information in the Elasticsearch database may have been stolen from. However, he did uncover that the system was deployed on infrastructure operated by U.K.-based hosting provider World Host Group. The company took down the database after Fowler notified it of his findings.

According to Wired, the database ran on an “unmanaged server” fully controlled by the customer. “It appears a fraudulent user signed up and uploaded illegal content to their server,” World Host Group Chief Executive Officer Seb de Lemos told the publication in a statement. “The system has since been shut down. Our legal team is reviewing any information we have that might be relevant for law enforcement.”

Image: Pixabay