More than eight terabytes of email metadata has been exposed after a database belonging to a Chinese university failed to implement basic security methods.
The exposed server belonged to Shanghai Jiao Tong University and was discovered on the 22nd of May by Justin Paine, director of Trust and Safety at Cloudflare. The University has more than 41,000 students spanning from undergraduate studies through to PhD level.
Explaining the breach on Rainbowtabl.es security blog, Paine said the ElasticSearch database was found during a Shodan search. This exposed database contained around 9.5 billion rows of data and, at the time of discovery, was still active, he said. Since this discovery, the database had also grown from 7TB to 8.4TB in less than a day.
Paine explained that the information contained in the exposed database was packaged using Zimbra, a well-known open source email solution which is currently used by more than 200,000 businesses around the world.
- Cybercriminals using ‘invisible net’ to launch attacks
- UK public opposed to exploitation of NHS data by tech companies
- Scientists to search for ancient Scottish meteorite crater
Based on the metadata, Paine said, he was able to locate all emails being sent – or received – by a specific person. This data also included the IP address and user agent of the person checking their email. Due to this, Paine was able to locate all the IPs used and the type of device used by a specific person.
Email threads between users were visible. However, Paine noted that only metadata was involved. Subject lines or specific details contained within emails were not exposed.
“Based on the metadata I was able to locate all email being sent or received by a specific person,” Paine wrote. “This data also included the IP address and user agent of the person checking their email. As such, I could late all the IPs used and device type of a specific person.
“Using this metadata I could see the high-level details of a specific email exchange such as which email address was sending or receiving an email from a different email address…this database did not contain the subject line information or the body of these emails.”
The university was notified of the open server on the 23rd of May and acted swiftly, Paine confirmed. Within 24 hours, the leak was rectified and Paine praised the quick reaction of the institution – conceding, however, that students may not have been notified.
“I would like to thank the university’s security team for their prompt action to secure this data once notified,” Paine wrote. “As far as I am aware they have notified the impacted students.”