The data of 32 million Brazilian Sky customers was exposed on the Internet. According to independent security researcher Fbio Castro, the information could be found by anyone who knew where to look. The professional revealed to the Bleeping Computer website that he found a file with various personal information from pay-TV users.
Among the leaked data were full name, email, service login password, IP address, payment methods, phone number and home address. O dnetc contacted Sky, but there was no response at the time of publication of this article.
READ: Google 'abandons' service after data leak
Sky Brasil's customer data was exposed for a long time on the Internet Photo: Reproduo / Pond5
Want to buy cell phones, TV and other discounted products? Meet Compare dnetc
According to the vehicle, Castro used the advanced features of the search engine Shodan, a specialized search engine that lists computers connected to the network. On the platform, he found several servers in Brazil based on the Elasticsearch database that made the information contained available without authentication.
Among them, there was a group of servers called "digital-logs-prd" that, by means of a simple command, made the data of Sky Brasil's customers available. According to the page, it is common for ElasticSearch servers to be configured incorrectly even in large companies that rename records of millions of people.
Sky Brasil's customer data was exposed for a long time on the Internet Photo: Divulgao / Sky
The researcher, who is a Sky customer and also had his data exposed, revealed that he had been able to access confidential information, such as home addresses and telephone numbers of high-ranking politicians, such as governors and government officials. This material in the hands of malicious people could be used to create social engineering attacks and profit from fraud.
The researcher revealed to Bleeping Computer that he informed the Sky Brasil discovery and that the company solved the problem in a few minutes, by restricting access to the content with a password. Castro, however, reinforces that the data has been exposed for enough time for cybercriminals to have access to it.
Users can perform some procedures to increase digital security and reduce the impacts of fraud by hackers. The first step is to avoid using the same passwords on different sites. Malicious people can use the leaked personal information to try to access other platforms in order to obtain something of value, such as money, air miles and expensive goods.
It is recommended to take special care with your most important accounts, using exclusive access data at least on them. If you have trouble remembering so many credentials, using a password manager program can be useful. Also, check to see if your passwords have ever been compromised. There are tools with a database of leaks that allow consultation, such as Have I Been Pawned.
Fabio Assolini, senior security analyst at Kaspersky Lab, listed some security tips for cases of data leakage.
- Take control of your data: delete accounts you no longer use, such as profiles on social media and sign-ups on old shopping sites;
- Do not use the same password in all your accounts: if your password is the same in several places, the chance of cybercriminals getting some data and eventually leaking it is even greater;
- If your data leaks online, don't forget to change your passwords. To remember them, a password manager facilitates much of this work;
- Be wary of emails or messages that prompt you to click on links or download attachments. Phishing messages are one of the main reasons for compromising accounts if in doubt, on click;
- Back up your personal data on a hard drive or standalone device. Ransomware is still a big threat to your data, so better protect yourself.
Digital TV: antenna options to better capture the signal