Thomson Reuters Corp. has been found to have exposed more than 3 terabytes of sensitive customer and corporate data, the latest company to fail in applying basic security to its hosting solutions.
The data was found on public-facing Elasticsearch databases. The content of the databases, which surprisingly also included plaintext passwords to third-party servers, primarily consisted of logging data collected through user-client interactions.
- Media giant with $6.35 billion in revenue left at least three of its databases open
- At least 3TB of sensitive data exposed including Thomson Reuters plaintext passwords to third-party servers
- The data company collects are a treasure trove for threat actors, likely worth millions of dollars on underground criminal forums
- The company has immediately fixed the issue, and started notifying their customers
- Thomson Reuters downplayed the issue, saying it affects only a “small subset of Thomson Reuters Global Trade customers”
- The dataset was open for several days – malicious bots can discover instances within mere hours
- Threat actors could use the leak for attacks, from social engineering attacks to ransomware
The data collected includes documents with corporate and legal information about specific businesses and individuals. In one example, an employee of a company was looking for information about an organization in Russia using Thomson Reuters services, only to find out that its board members were under U.S. sanctions over their role in the invasion of Ukraine.
Researchers also discovered one of the open databases included the internal screening of other platforms such as YouTube, and Thomson Reuters clients’ access logs and connection strings to other databases. The exposure of connection strings is noted to be particularly dangerous because Reuter’s internal network elements were exposed, giving threat actors the ability to move laterally and pivot through internal systems.
The researchers also found login and password reset logs. While not exposing old or new passwords, the logs show the account holder’s email address and the exact time the password change query was sent.
Thomson Reuters has tried to downplay the data exposure, claiming that out of the three exposed servers found, two were designed to be publicly available and the third was a non-product server meant for “application logs from the pre-production/implementation environment.”
The researchers warn that the data is likely worth millions of dollars on underground criminal forums. It was exposed for several days, giving ample time for malicious bots to discover and steal the data. The data in the exposed databases could be used for social engineering attacks and ransomware, among other potential attack vectors.