Researchers at vpnMentor have uncovered a massive database containing over one million sensitive browsing records.
According to vpnMentor, the Elasticsearch database was left online without any password protection, allowing anyone to access it. The database belonged to the IT company, Conor, who have a vast range of ISP and telco clients in South America and Africa.
The unencrypted data related to a web filtering product the firm had created for their clients, therefore exposing user activity logs for the past two months including website URLs, IP address, index names and MSISDN codes.
The activity logs also contained highly sensitive information on web browsing activity, such as visiting pornography sites, social media accounts, and messaging apps such as WhatsApp.
The vpnMentor team explained that they were able to view every website a user visited, or attempted to visit as a result of the unsecured database.
“For an ICT and software development company not to protect this data is incredibly negligent. Conor’s lapse in data security could create real-world problems for the people exposed.”
If threat actors were able to gain access to the leaked data, impacted user’s would find themselves the target for blackmail and extortion due to the websites they may have visited.
The post #Privacy: South African IT company leaks 890GB database appeared first on PrivSec Report.