Unsecured Database Leaves 8.4 TB of Email Metadata ExposedShanghai Jiao Tong University Has Since Locked-Down Elasticsearch Server
An unprotected database belonging to a major Chinese research university left 8.4TB of email metadata exposed to the internet before school officials locked it down in late May, a security researcher says.
Justin Paine, the director of trust and safety with Cloudflare, first discovered the exposed database, which belongs to Shanghai Jiao Tong University in China, on May 22. However, within two days of notifying the school's administration, the university's IT team had secured the Elasticsearch server, Paine writes in a Sunday blog post.
It's not clear how long this particular server was left exposed to the internet, but Paine notes in a blog post for Rainbowtabl.es that it does not appear to have affected students at the university.
The database did contain a significant amount of the school's email metadata, which included information on the sender, destination and time of the emails. Paine notes this data could allow an attacker or cybercriminal to locate all email being sent or received by a specific person.
"This data also included the IP address and user agent of the person checking their email," Paine writes in his blog post. "As such, I could locate all the IPs used and device type of a specific person."
Paine added that the university's database did not contain the subject line information or the body of these emails.
A university spokesperson did not immediately respond to a request for comment.
Significant Data Exposed
Shanghai Jiao Tong University is a major research institution located in Shanghai that was founded in 1896. The school now boasts more than 16,000 undergraduate students, nearly 22,000 graduate students and over 3,000 faculty members, according to its English-language website.
The university also has a lot of data.
As part of a security research project, Paine found the unsecured database using the Shodan search engine on May 22. Specifically, he located 9.5 billion rows of data that translates to approximately 8.4 TB of data.
The metadata itself appears to have stored through Zimbra, an open source email server and web client platform, which counts some 500 million users worldwide.
The amount of data within the Elasticsearch server was also growing at a rapid rate after Paine discovered it. When Paine first observed the unprotected database on May 22, it held 7 TB of metadata. By the next day, it had grown to 8.4 TB. By May 24, however, he said the database had been secured.
This type of data exposure, with security researchers and others finding unprotected, cloud-based databases, are becoming increasingly common, especially as organizations move data from on-premises datacenters to various cloud services.
In the past week, Tech Data Corp., one of the largest distributors of hardware, software and software management services, was forced to disable a logging server used for its StreamOne cloud services marketplace after a data exposure. In that case, independent researchers Noam Rotem and Ran Locar found the server was open online and did not require authentication (see: Tech Data Says It Has Closed Off StreamOne Data Exposure).
Before that incident, the same two researchers found that an unsecured database belonging to Canadian mobile operator Freedom Mobile exposed personal details and unencrypted credit card data (see: Canadian Mobile Provider Exposed Payment Card Numbers).
The difference between what happened with the unsecured Shanghai Jiao Tong University database and some of these other incidents is that the email metadata is not as important to cybercriminals as credit card and other payment information, says Chris Morales, head of security analytics at Vectra, a San Jose, California-based threat detection and response firm.
Any organization looking to move data to the cloud must ensure that it's protected by strong access controls, which are built into tools such as Elasticsearch, experts warn.
"The Elasticsearch cloud instance didn't have authentication and was located using Shodan, an open source network discovery tool," Morales says. "This is not a security vulnerability. It is a misconfiguration of cloud-based administrative access. This is a real, ongoing problem," Morales said, citing Uber as just one example of an organization that was so hacked.
"The good news is I can't think of anything extremely damaging from having email metadata from a university," he says. I don't think this information was overly private."