Data Leak: 95 Million Records of French Citizens at Risk

A massive data leak has exposed 95 million records belonging to French citizens. This data, which includes phone numbers, email addresses, and partial payment information, makes the affected individuals vulnerable to targeted cyberattacks.

An unknown actor has been hoarding personal information from various data breaches in France and compiling it into a single database.

The Cybernews research team, along with Bob Dyachenko, a cybersecurity expert, discovered an open Elasticsearch server that contained a wealth of information for cybercriminals. Elasticsearch is a tool for data analytics and near real-time search. This server was accessible without authorization and featured a massive collection of over 95 million documents from at least 17 data breaches, totaling 30.1 GB of data.

The Scale of the Leak

For comparison, the population of France is approximately 67.79 million. “This database is designed to compile information from multiple French-related data breaches and includes both known and unknown leaks,” the researchers stated.

In many instances, the exposed data included full names, phone numbers, addresses, emails, IP addresses, and partial payment information.

“Likely, a threat actor collected data from well-known company breaches. The exposed files cover telecommunications, e-commerce, and social media sectors, highlighting the widespread nature of the breach,” the researchers added.

Who is Responsible?

The identity of the database owner remains unclear. The server seems to have been unintentionally exposed due to misconfigurations. “The sheer volume of records and the focus on a single country heighten the severity of the exposure. It potentially affects millions of individuals and companies in France and could lead to a higher risk of identity theft and fraud,” the Cybernews researchers warned.

The cluster is hosted by a small French hosting company, indicating that European data protection regulations (GDPR) should apply, which require explicit user consent for the collection and storage of personal data.

What was in the Leak?

The leak consists of at least 17 parts, each corresponding to a separate data incident. While the file names suggest potential companies involved, Cybernews cannot confirm the authenticity of the data. Some of the files include:

  • Lyca scrappe.txt: Likely refers to scraped data from Lycamobile.
  • Pandabuy-Email.txt: Possibly linked to a breach involving customer email data from Pandabuy.
  • darty.com.txt: May involve a breach related to Darty, a French electronics retailer.
  • discord_1_2024.txt: Indicates a potential incident involving Discord.
  • snapchat.sql.txt: Suggests a breach involving Snapchat.

The diversity of affected companies reflects the extensive nature of the breach.

Sensitive Information and Its Risks

It is highly unlikely that any legitimate data processor operating within the EU left such data unprotected. “Such an amount of data cannot be legally collected, acquired, and combined without user consent, given EU regulations. The fact that the data was left exposed without any security measures suggests that the database owner may have malicious intent,” the researchers concluded.

Since the database has been publicly accessible for an extended period, it is highly likely that other malicious actors have already copied the data. The immediate risks for the exposed individuals include becoming targets for identity theft and fraud. Email addresses combined with other sensitive details can be used for personalized phishing attacks.

The Role of Penetration Testing

To prevent such massive data leaks and security incidents in the future, penetration testing plays a crucial role. By conducting targeted tests of IT infrastructure, companies can identify vulnerabilities that may be exploited. Penetration testing simulates attacks from cybercriminals to evaluate a company’s response and close security gaps.

Regular penetration tests help ensure that systems are robust against threats and comply with data protection regulations like GDPR. This includes verifying server, network, and database configurations to ensure that sensitive information is not left unprotected.

Mitigation Measures

Companies involved in these breaches may suffer reputational damage, especially if incidents were previously undisclosed. The researchers recommend the following measures to strengthen cybersecurity:

  • Secure Data Storage: Implement strong authentication and access controls.
  • Regular Security Audits: Monitor cloud infrastructure to identify vulnerabilities.
  • Disclosure and Communication: Promptly notify affected companies and individuals about the exposure and provide guidance on protecting their data.
  • Limit Data Collection: Collect only what is absolutely necessary for business operations.
  • Review Data Aggregation Practices: Reassess the security and necessity of aggregating large datasets.
  • Ensure Compliance with GDPR: As well as other relevant data protection regulations.
  • Implement Breach Detection Mechanisms: Detect unauthorized access or misconfigurations in real time.

This incident highlights the critical need for robust cybersecurity strategies to protect sensitive data and minimize the risk of cyberattacks. By implementing targeted penetration tests, companies can strengthen their security measures and safeguard against potential threats.