The database included hundreds of thousands of contract details for volunteers in the program, plus more than 1 million names, email addresses, and passwords of users who signed up through the website.
Comparitech’s security research team, led by cybersecurity expert Bob Diachenko, discovered the database on May 30 and reported it to the French Civic Service the same day. The organization acted quickly and secured the exposed server a few hours later.
The French Civic service told Comparitech in a statement that a subcontractor had exposed the database of former volunteers:
The “Agence du Service Civique” was alerted on Saturday 30 May at 3.30 pm that a security breach was detected in the system of one [of] our subcontractors and had allowed access to a personal database of former volunteers with the French Civic Service. Immediately, the “Agence du Service Civique” did everything that what necessary to find the origin of the breach and secure it. Access was blocked on Saturday 30 May at 7pm.
It was a test platform, not our website, on which one of our subcontractors had loaded our database without a proper secure system on May 25th. Our investigation on the history of unauthorized access on this database shows that, to the best of our knowledge, no malicious intrusion occurred on the platform.The incident report has been sent to French authority CNIL “Commission nationale de l’informatique et des libertés” and the Ministry in charge was permanently informed during our investigation. A full audit of all our systems will be launched. We are committed to keep our awareness raised about cyber hygiene.
Timeline of the exposure
The database was exposed for five days in total:
May 25, 2020: A subcontractor working on behalf of the French Civic Service deployed the database
May 27, 2020: The exposed database was indexed by search engine Shodan.io
May 30, 2020: Diachenko discovered the database and reached out to French security researcher Baptiste Robert, who helped bring the incident to the attention of the French Civic Service
May 30, 2020: The exposed data was secured about three hours after Diachenko’s disclosure
Although the French Civic Service stated that no malicious intrusions occurred, we cannot confirm whether any other unauthorized parties accessed the data.
What data was exposed?
The open and unprotected MongoDB database contained several sets of data, including:
- 373,892 volunteer details, including ELISA contract information. ELISA (Local Extranet for Compensation and Monitoring of Volunteer Reception in Civic Service) is the system used to authorize organizations that wish to hire volunteers through the French Civic Service and manage contracts and payment between those organizations and their volunteers. Information in these documents includes:
- Full names of both parties
- SIRET identification numbers
- Terms of volunteer service
- Internal documents and links
- More than 1 million website user records including:
- Email addresses
- Full names
- Account passwords
- A directory of 1,913 high profile contacts including:
- Street addresses
- Phone numbers
- Email addresses
Dangers of exposed data
Although the French Civic Service says no malicious intrusions were detected, we strongly recommend impacted users and volunteer organizations take steps to protect themselves in case cybercriminals managed to steal the exposed data.
The leaked passwords are the most worrying. Affected users should immediately change their website login passwords. Additionally, if the same password and email combination were used on any other account or service, change those as well to prevent credential stuffing attacks.
Anyone whose contact information was exposed should be on the lookout for scam and phishing emails from criminals posing as the French Civic Service and related organizations.
Why we reported this exposure
Comparitech works with security researcher Bob Diachenko to find and report instances of personal data exposure online. On finding, for instance, an unsecured database full of sensitive information, we immediately begin trying to find out who the data belongs to, who may be affected, what type of information was exposed, and any potential ramifications that could occur as a result of this data being in the public domain.
Our goal is not to name and shame organizations for their security failings. Rather, it is to prevent people from becoming victims of identify theft, spear-phishing campaigns, and other malicious attacks as a result of having their data exposed. This is why, before making our findings public, we first coordinate with the database owners and ensure that the data is no longer accessible.
This is far from the only instance of its kind. In the past, our team has discovered several similar incidents, including when:
- 42 million Iranian “Telegram” phone numbers and user IDs were breached
- Details of nearly 8 million UK online purchases leaked
- 250 million Microsoft customer support records were exposed online
- More than 260 million Facebook credentials were posted to a hacker forum
- Almost 3 billion email address leaked, many with corresponding passwords
- Detailed information on 188 million people was held in an unsecured database
- K12.com exposed 7 million student records
- MedicareSupplement.com made 5 million personal records publicly available
- Over 2.5 million CenturyLink customer records were leaked
- Choice Hotels leaks records of 700,000 customers