The team at Security Detectives has discovered another leaky database. BigFooty, a popular Australian sports fan website, was found to be leaking around 132 GB (70 million records) of private information belonging to its 100,000 members. The data in some instances included “technical information relating to the company’s web and mobile sites.
The information was found on a compromised Elasticsearch server, and included data from the website’s forum, as well as private messages sent between users.
Although BigFooty.com did not reply to the research team’s initial contact, website admins have posted a data breach notification on their forum:
“Recently we learned of a security breach on BigFooty’s search index which, due to a mis-configuration, was publicly accessible without restriction,” the notice says. “This search index included content that may have been removed from public view on the forum, and other content where access was restricted. Access to the index was blocked as soon as we became aware of the issue on the 14th of May and commenced assessment of the breach. Whilst we now know that there was some unwanted interaction by unauthorised people, our investigation leads us to believe the whole index was not copied.”
What type of data did the leak expose?
The investigators noted that the website is predominantly anonymous and, while participants are not always identified, private information is frequently shared in messages, including:
• Usernames used to access Big.Footy.com
• Passwords to live streams
• Data relating to ad spammers
• Email addresses
• Relationships between users
• Mobile phone numbers
• User comments including personal threats and racist material
• Personal information relating to real-world activities, intentions and behavior
Additional website data such as server information, operating system and browser information, error and access logs, IP addresses and GPS data was also included in the databases.
“Although many user messages were available publicly, whether or not users could be identified depends on the data they shared in their correspondence”, the researchers said. “Many users shared mobile phone numbers, passwords to access other content and highly sensitive information relating to private activities.”
Since exposed private messages were publicly viewable, the information can be used to trace specific users. If active members shared additional personal information or sensitive data in their chats, it can be used for blackmail or to inflict reputational damage.
“Even though usernames, passwords and identities were not always matched, there remains a significant risk that the titbits of information available could be used to commit identity fraud, and consequently, create financial, social and reputational damage on users,” Security Detectives warned.
BigFooty has also informed members who have shared personal contacts, passwords or financial information in private boards or conversations to monitor their bank accounts and immediately change their passwords.
Members are also advised to avoid sharing sensitive data and passwords on message boards or in the comment sections. Passwords are for your eyes only. Sharing such private information can lead to account takeover attacks, identity theft and serious financial damage.