[German]There has been a data leak at the French newspaper Le Figaro where personal data of subscribers, sometimes even passwords in plain text, have been disclosed.
I was informed of the matter a few hours ago by the safety researchers of the Safety Detective Research Team. The team, led by Anurag Sen, discovered the serious data leak at the French daily newspaper Le Figaro.
Le Figaro is the oldest daily newspaper in France and was founded in Paris in 1826. It is probably one of the most popular newspapers in the country with the largest daily circulation in France. The online version of Le Figaro is among the 50 most visited websites in France.
Unprotected Elasticsearch database
When searching the Internet for open databases, they found an Elasticsearch server from Poney Telecom in France. There a database was hosted that contained over 8 TB of data, a total of about 7.4 billion records. At the time of the investigation, the server including the database was in operation and unprotected. The security researchers thus gained access to personal data (PII), the French daily newspaper Le Figaro has stored within this data base.
What data was leaked
Le Figaro's database contained API logs of the company's desktop and mobile websites for the past three months. For example, when the investigation of the security team began in late April 2020, the logs dated back to February. Since the database was probably set up in March 2019, it's also possible that data was publicly available much earlier.
The log entries in the database included records of people who had registered a subscription account on the Le Figaro website from February to April 2020. In addition, there were records of existing users who logged into their accounts. For new users, their login and other personal information was recorded. For existing users, their login details remained hidden, but the personal details were also stored in clear text in the logs and thus disclosed.
The accessible (unencrypted) personal (PII) data also included the logon data of the respective users. Here are the information found in data records:
- E-mail address of the user
- Full name of the subscriber
- User's private address including postcode and country of origin
- Passwords for new users in plain text and hashed with md5
- IP addresses and internal server access tokens
The exact number of exposed persons cannot be determined in the time available due to the structure of the data. A detailed documentation of the data structures can be found here.
(Le Figaro database structure, source: safetydetectives.com)
However, security researchers estimate that at least 42,000 new users registered on Le Figaro between February and April 2020. All these users are affected by this data leak. Because of the explosive nature of the data leak, security researchers have decided to contact Le Figaro quickly after identifying the database owner, rather than spending more time investigating the data.
The compromised database also contained numerous technical logs that indicated details about additional Le Figaro backend servers and possibly additional, potentially sensitive data. Such information can be valuable to attackers who attempt to compromise the company's IT infrastructure.
The bottom line was that the entire database was completely unprotected and accessible via the Internet.
Detective work in tracing the owner
After the security team had discovered the unprotected database, the owner had to be identified beyond any doubt. The records contained many references of the type logstash-app-articles.lefigaro.fr to backends of Le Figaro.
But the unprotected database was hosted by a company called Dedibox (owned by a major IT company, Online SAS). This company in turn used a server from Poney Telecom, which was accessible under the URL poneytelecom.eu. And that is where the uncertainties started. There was another exposed server from the same Elasticsearch cluster, which was also hosted by the same company and had a similar host name.
Moreover, Poney Telecom has a reputation for tolerating questionable, unethical hosting practices and causing security issues. According to security researchers, Poney Telecom is notorious for many online attacks that seem to originate within the Poney Telcom server network. In addition, most of Le Figaro's online servers are hosted by more popular (more reputable) and much more security oriented hosting services such as Akamai.
However, the open server was a backup cluster with an HTTPS certificate for the "dev.lefigaro.fr" subdomains. This was a strong indication that the cluster owners were part of Le Figaro. Nevertheless, it still took several days for the security researchers to identify Le Figaro beyond any doubt as the owner of the database and to continue their investigation of the data. As a footnote: The security researchers created a trial account with Le Figaro and checked whether their own record appeared in the Elasticsearch database (which was then the case).
In the meantime Le Figaro was contacted and confronted with the information about the data leak. However, the article does not contain any information on whether the database has been removed from the Internet in the meantime (which I assume it has). However, the incident is relevant to the DSGVO, as personal data was openly accessible. For Le Figaro this is an absolute data disaster, because not only the own infrastructure was potentially spyable via the log files. The user data from the data leak is of course worth a lot to cyber criminals, as it can be misused for phishing attempts, identity theft and other scams. Whether third parties had access to the database is unknown, however. Further details can be found here.
Security: Data leaks, Malware, Vulnerabilities (04/24)
French Kinomap app and the data leak
Data leak with 95 million e-mails at marketing firm Maropost
Data leak at biometrics company with 80 million records
The Slickwraps data leak and the Dirty Cow vulnerability
Massive data leak at NextMotion (working in plastic surgery)
Big Data Leak at German car rental Buchbinder
Cookies helps to fund this blog: Cookie settings