Photo: William Barton / Shutterstock.com
Security researchers over at Cybernews discovered that Thomson Reuters left at least 3TB of sensitive data, including plaintext passwords, to third-party websites exposed on the internet. At least three databases were exposed to the open internet, with one containing a 3TB ElasticSearch database.
Thomson Reuters has since fixed the issue and has started notifying its customers of the breach. That said, the dataset was left open for several days and could’ve been picked by malicious bots capable of discovering such instances in hours. Cybernews researchers estimate the cost of the data to be in millions on the dark web and underground criminal forums.
Two of the three exposed databases were reportedly meant to be publicly accessible. The third server was a non-production server meant for application logs from pre-production or implementation environments.
Sensitive information leaked from a non-production server
Time stamps on data samples reviewed by the researchers suggest that the data was updated as recently as October 26, with the server being left accessible since October 21. These logs contain sensitive information that can potentially lead to supply-chain attacks if in the wrong hands.
One example of data in this third open server is the presence of access credentials to third-party services. Not only was the data publicly exposed, but was also in plaintext format requiring no additional decryption to access them.
Other exposed information includes open instances to login and password reset logs as well as sensitive SQL logs that show what information Thomson Reuters’ clients were looking for, including the resulting information itself. This also includes documents with corporate and legal information on certain businesses and individuals.
The open database also included an internal screening of platforms like Youtube, Thompson Reuters clients’ access logs and connection strings to other databases. These connection strings are especially dangerous, considering they can provide lateral access to a threat actor inside the Thomson Reuters network.
The researchers claim that the complete open instance held much more sensitive data coming in at more than 6.9 million unique logs taking up over 3TB of disk space. The full extent of the attack is not known at the moment. Any loss of information is said to be harmful to not only Thomson Reuters and its clients but also isn’t in the public interest.
Patching up and damage control
After being informed of the exposure, Thompson Reuters immediately took down the open instance. The company stated that the affected instance “only houses application logs from the non-production environment associated with a subset of Thomson Reuters’s Global Trade customers”.
Candid.Technology reached out to Thompson Reuters for a comment, and the company was quick to state that the problem was a ‘misconfigured’ server. More specifically, a non-production instance for their OneSource Global Trade product.
“It was an isolated incident where we had one misconfigured instance related to one product that impacted a subset of our customers,” Thompson Reuters told Candid.Technology.
When asked about the extent of the breach and if any third parties or bots had accessed the data while it was exposed, Dave Moran, a spokesperson for the company, stated that while the investigation is ongoing, “the only access to the exposed instance was the ethical researcher”. Moran further added that “the subset of customers is small and isolated to one component of one product” implying that only the ONESOURCE Global Trade users were affected.
Cybernews also reports that this isn’t the first time Thompson Reuters has had an exposure either. Historical data from IoT search engines indicate that some of the company’s configuration and system environment files were exposed last year, with some still being exposed to date.