Misconfigured server exposed half of all Brazilian taxpayer ID numbers, report says
A database containing personally identifying information of 120 million Brazilian citizens and residents was accessible on the open web for some time, according to a report published Tuesday by cybersecurity company InfoArmor.
The records reportedly contained the Cadastro de Pessoas Físicas (CPF) — a counterpart to Social Security numbers — of more than half of Brazil’s population of 210 million. The unprotected CFPs were linked to people’s basic contact information, financial accounts, credit and debit history, voting history family relations and more, InfoArmor says.
The company’s researchers say they encountered the openly accessible HTTP server in March 2018 while scanning the web for compromised machines. Within the database, the file “index.html” had been renamed to “index.html_bkp,” which the report says made it visible to the public.
Anyone who knew what they were looking for could have found it, InfoArmor says. While the data wasn’t discovered as part of a breach, the researchers caution that hackers could have accessed it and it could be a while until evidence of exploitation surfaces.
“It took over a year for data stolen from Yahoo to appear for sale on the dark web, and data as unique as what was available in Brazil’s CPF server is likely to be traded among the most closed off and exotic data troves of the dark web,” the report says.
It’s still not clear who owns the database. InfoArmor said repeated attempts to contact the owners over several weeks yielded no proper response. The researchers say they observed someone managing and replacing files on the open server throughout the investigation, and the server eventually was reconfigured into a website with a login page on a subdomain of “alibababconsultas.com.”
Eventually, the researchers say received an answer from the hosts saying “that they had notified their customers about the legal issues of leaving such data exposed, yet the data remained exposed online for several weeks thereafter.”
“Although InfoArmor cannot be sure that alibabaconsultas.com was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function,” the report says.
As InfoArmor wasn’t able to properly communicate with the database owners, it’s difficult to say for certain whether cybercriminals or other malicious actors accessed the database. Still, the researchers expressed confidence that determined groups wouldn’t miss it.
“It is safe to assume that any intelligence organization or cybercrime group with reasonable collection capabilities and expertise will have captured this data. This data could very likely be used against the population of Brazil, the nation of Brazil, or any nations hosting people who have a CFP,” the researchers wrote.
InfoArmor’s finding highlights the persistent problem of misconfigured, internet-connected databases, which can expose individuals’ sensitive information up to nefarious actors. The Brazil case, particularly with its scale, bears similarity to Equifax’s mega-breach last year that exposed more than 148 million people’s private information, including SSNs.