Keepnet Labs Confirms That 5 Billion Email Addresses and Passwords Collated From Previous Data Breaches Were Exposed

A database with five billion records full of usernames and passwords was exposed to the internet and was not protected by any form of authentication. Predictably, the incident grabbed more than a few headlines, especially in recent days, but unfortunately, it did it for all the wrong reasons.

The vulnerable Elasticsearch database was discovered by security researcher Bob Diachenko, who was surprised not only by the size of the database but also by the way the information inside it is structured. A brief investigation linked the exposed data to a UK-based cybersecurity company called Keepnet Labs, which published a statement last week in an attempt to clarify what went wrong and why.

It sounds worse than it is

One of the key emphasis of the security company's statement is that the database doesn't contain any Keepnet Labs customer data. Keepnet Labs is a threat intelligence company that collects login credentials leaked during data breaches, and if it finds the details of some of its customers, it notifies them and advises them on what actions they need to take.

The Elasticsearch database was full of the usernames and passwords leaked during various cybersecurity incidents that occurred between 2012 and 2019. In addition to the login credentials, every record contained the source of the leak, the year of the breach, and the password storage method.

According to the statement, Keepnet Labs did use the database to provide its threat intelligence service, but it was not responsible for maintaining it. This was the job of a contractor who had been working with the security company since February 2018. While performing scheduled maintenance, an employee of the said contractor briefly turned the firewall off to speed up the process and inadvertently exposed the data. After about ten minutes, the firewall was turned back on, but by then, the database had already been indexed by BinaryEdge, which is why Diachenko managed to find it.

In a word, the leak wasn't as bad as it appeared at first. All the usernames and passwords had been leaked before the incident, and although they were available in a single, well-structured database, downloading a meaningful portion of it while it was still exposed was virtually impossible, according to Keepnet. The company says that it has learned its lessons and has taken precautions to ensure that this doesn't happen again. Unfortunately, in the immediate aftermath of the incident, Keepnet Labs took another set of precautions that didn't put it in the best light.

The disclosure was not exactly smooth

Bob Diachenko made the discovery way back in March, and after he published his report, more than a few cybersecurity news outlets and blogs covered the leak. Keepnet Labs felt that many of them made misleading statements during their coverage, which is why a few reporters were contacted and were asked to edit their articles.

Popular security blogger Graham Cluley also received an email from Keepnet, and although he didn't think that his representation of the facts was in any way wrong, he was more than willing to give the security company the chance to tell its side of the story. Instead of an official statement or a chance to speak to a spokesperson, however, he received an email from Keepnet's lawyers who told him that if he doesn't revise his article and remove the company's name, he'd be faced with legal actions against him.

There's absolutely nothing wrong with Keepnet Labs defending its reputation if it feels that it's been damaged by poor reporting. For almost three full months, however, the company didn't issue an official statement to set the record straight, and it refused to work with the reporters to present all the facts accurately. This may have an even bigger impact on Keepnet's reputation than the alleged misrepresentation of the facts on some websites.