Social platform for US and UK military may have exposed over a million records

Date:
Thu, 21 Nov 2024 13:01:00 +0000

Description:
Armed forces members could be subject to identity theft attacks and extortion
after exposed database was discovered.

FULL STORY

A top cybersecurity researcher has uncovered an unprotected online database
containing sensitive PII and data for members of the US and UK armed forces. 

Jeremiah Fowler's writeup, shared with VPNMentor , outlines how the database
belonged to Forces Penpals, a dating and social networking service for 
members of the armed forces, and contained 1,187,296 records. 

Much of the data apparently included full names, addresses, social security
numbers of US personnel, National Insurance Numbers and Service Numbers of UK
personnel, along with rank, branch of service, dates, and locations of
military service members.

Armed forces data left exposed 

The database was discovered by Fowler without encryption or password
protection, meaning that the database could have been accessed by anyone with
an internet connection. 

Fowler notified Forces Penpals about the exposure, and the database was
protected the following day, however it is not known how long the database 
was exposed for, with Fowler noting that, Only an internal forensic audit
could identify additional access or potentially suspicious activity. 

Forces Penpals, which claims to have over 290,000 members, both civilian and
military, replied to the exposure notice, and provided an explanation, Thank
you for contacting us. It is much appreciated. Looks like there was a coding
error where the documents were going to the wrong bucket and directory 
listing was turned on for debugging and never turned off. The photos are
public anyway so that's not an issue, but the documents certainly should not
be public. 

The level of detail contained within some of the documents would provide a
malicious user with enough information to launch an identity theft or social
engineering campaign against exposed users. 

Additionally, Fowler says, some of the exposed data contained within the
database, such as ranks, levels of security clearance, and locations, could
have national security implications. 

Earlier this year, Chinese state-sponsored threat actors reportedly breached 
a third-party contractor for the UK Ministry of Defense and accessed the data
of armed forces personnel, with a similar attack attempting to steal records
of ex-RAF pilots also attributed to Chinese state-sponsored groups.

======================================================================
Link to news story:
https://www.techradar.com/pro/social-platform-for-us-and-uk-military-may-have-
exposed-over-a-million-records

$$
--- SBBSecho 3.20-Linux