How a misconfigured server managed by a third party exposed 2.8 million records

Ferhat Dikbiyik
Nov 6 · 3 min read

A security incident accidentally exposed 2.8 million customer information of CenturyLink due to a misconfigured MongoDB database affiliated with a third-party vendor. The name of the third-party vendor is not disclosed but it is a notification platform used by CenturyLink. The exposed data may include possibly including names, addresses, phone numbers, email addresses, and CenturyLink account numbers but the incident did not involve financial information.

CenturyLink gave a statement to CompariTech saying: “Since becoming aware of this situation, we have worked to confirm that the security issue has been addressed and we are conducting a thorough investigation of the incident. The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers. We will continue to work to protect customer information. CenturyLink takes the protection of our customers’ information seriously, and we will work to ensure that we earn our customers’ trust.”

Many companies and their third parties use cloud servers to store their data. Despite their great advantage, misconfigured servers may expose sensitive data, a mistake which is an open invitation to hackers to dump and use a company’s data for their malicious activities.

How is it possible?

Cloud service providers improve their cyber resilience as much as possible. They publish best practices on how to use their cloud services and provide options to keep the data public or private, a feature configured by companies that accommodate cloud servers. Any misconfiguration may expose data to the public and the first ones who notice these exposed data would be hackers and hacktivists.

A shortlist of common misconfigurations

  • Use of factory default system credentials (username/passwords)
  • Directory and file listings that are not disabled and easily available through search engines
  • Some user traces may have too much information such as pages returned to users with error messages
  • Leaving some unnecessary pages such as sample apps, old privileges, and user accounts
  • not up-to-date software, use of legacy systems, not up-to-date patches.

Simple steps to prevent misconfigured data

  • Discover all your 3rd and 4th party service providers and cloud storage servers that your company uses.
  • Check for misconfiguration of cloud storage servers
  • Monitor the cyber risk of your 3rd and 4th party providers.
  • Regularly check Intrusion Detection System (IDS) logs and consider host-based IDS rather than network-based IDS to examine events on host-level
  • Increase the cybersecurity awareness of your employees and regularly check for leaked credentials.
  • Create an agilent patch management procedure. For that reason, use tools such as NormShield Cyber Risk Scorecards that gives your cybersecurity posture in Patch Management (among 19 other categories).

.


Thanks for reading. If you enjoyed this article, feel free to hit that clap button 👏 (or hold it until it reaches the desired number of claps) to help others find it.

Say Hi on Linkedin or check out what we’re doing at NormShield.


Partially published at www.normshield.com.

Ferhat Dikbiyik

Written by

Ph.D., C|TIA, R&D Manager at NormShield Cyber Security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade