The security research team at Security Detectives, led by Anurag Sen, has uncovered a significant data leak from French daily newspaper Le Figaro.
Hosted on an Elasticsearch server owned by Poney Telecom in France, the leaking database contained over 8TB of data, totaling approximately 7.4 billion records. The server was live at the time of our investigation, leaking Personally Identifiable Information (PII) data from people accessing private accounts on Le Figaro’s news website, and in some cases, their login credentials.
Once we confirmed Le Figaro as the owner of the database, we reached out to the company with our conclusions.
Who is Le Figaro?
Le Figaro is the oldest daily newspaper in France, founded in Paris in 1826. It also claims to be the most popular newspaper in the country, with the largest daily circulation in France.
The online version of Le Figaro is one of the top 50 most visited websites in France.
In 2004, Le Figaro was bought by Serge Dassault, a French billionaire businessman and politician most famous for his work in arms manufacturing and aviation. Since his death, his company, The Dassault Group, continues to own Le Figaro.
What Was Been Leaked?
Le Figaro’s database contained API logs for its desktop and mobile websites, dating from the previous three months on any given date. For example, as our investigation started in late April 2020, records went back as far as February. As the database was built in March 2019, it’s also possible that it had been exposed much earlier than this.
The API logs on the database contained records of people who registered a subscription account on Le Figaro’s website from February to April 2020, along with the records of pre-existing users logging into their accounts.
In the case of new users, the records included their login credentials and PII data. For pre-existing users, their login credentials remained hidden, but their PII data was also exposed.
The PII data visible included:
- Full names
- Home Addresses
- Passwords for new users, in cleartext and hashed with md5
- Countries of residence and zip code
- IP addresses
- Internal server access tokens
The exact number of people exposed is uncertain due to the structure of the data. It would have required more time to investigate the database and calculate precisely how many individual users were recorded across each type of data entry. Due to the sensitivity of the leak, we decided it was better to contact Le Figaro quickly rather than spend more time investigating.
However, we estimate at least 42,000 new users registered on Le Figaro between February and April 2020 – all of whom were exposed in this leak.
Some of the exposed PII data also belonged to Le Figaro reporters and employees, including their email addresses and for some of them their full names as well.
Further Server Information
The compromised database also contained numerous technical logs exposing more of Le Figaro’s backend servers and possibly additional, potentially sensitive data that could be valuable for attackers hoping to compromise the company’s data infrastructure.
- SQL query errors
- Traffic between different servers
- Communication protocols
- Potential access to admin accounts
Many indices in the leak seemed connected to the AGORA system, most likely used as a CRM by the company.
Finally, and most worrisome of all, the database was completely exposed to the public – with no password required to access it. Anyone with the knowledge of the database’s IP address could have gained access.
How We Confirmed Le Figaro was Leaking the Data
Our research team found the database from Le Figaro, but due to concerns over the server it was hosted on, we had to confirm the company as its owner.
We wanted to verify that the server in fact belonged to Le Figaro and the data hadn’t been stolen and placed here by a hacker.
The exposed database was hosted by a company called Dedibox (owned by a larger IT company, Online SAS), using servers belonging to another company, Poney Telecom.
However, most of Le Figaro’s servers online use more popular and security-oriented hosting services, such as Akamai.
Poney Telecom also has a reputation for shady, unethical hosting practices and security issues, and is notorious for many online attacks that seem to originate from within its network of servers.
For these reasons, we needed to confirm all details of the leak and the owner of the database before proceeding with our investigation. This process took a few days.
Several indications within the leaked database suggested a strong connection to Le Figaro, such as:
1. Many indices names contained the text “le Figaro” in them in some way (e.g., logstash-app-
2. Much of the data had explicit links to Le Figaro’s backend and many other related resources and subdomains related to the company.
3. Communication between servers where all hosts seem to be from subdomains of “lefigaro.fr”.
4. The leaked server’s hostname included “poneytelecom.eu”, and was hosted by Dedibox. There was also another exposed server from the same Elasticsearch cluster, which was also hosted by the same company and had a similar hostname.
This server was a backup cluster with an HTTPS certificate for “dev.lefigaro.fr” subdomains, which would significantly strengthen the validation for the cluster owners to be Le Figaro.
To confirm our suspicions, we created a test user account on Le Figaro to see what would happen. When the user account appeared on the exposed database, we had confirmed Le Figaro as the owner.
After we had confirmed Le Figaro as the owner of the database, we reached out to the company with our findings.
Data Breach Impact
Identity Theft & Fraud
The exposed user PII data could be used by hackers to pursue identity theft and various forms of fraud against those whose information was leaking. Combining a user’s email address, personal details, and more, hackers would have ample opportunities to pursue financial, tax, insurance fraud, and much more.
Using the Server to Attack Accounts on Other Platforms
Cleartext passwords exposed in the system, along with the MD5 hashed passwords, are also problematic.
Email IDs could be viewed from many email providers and cloud accounts, including Orange, Hotmail, Gmail, and iCloud. Many of these records included a user’s password. As most people share the same password across many private online accounts, hackers could use the same login credentials to access countless accounts across many websites and platforms.
Furthermore, even though some of the passwords had been “salted” with added random data and MD5 hashes, this could be quickly bypassed, as MD5 is no longer considered a very secure protocol.
Hackers with access to a database like Le Figaro’s could attempt billions of password combinations per second, on various platforms simultaneously. It wouldn’t take long for them to exploit the exposed PII data to gain access to private email and cloud accounts and implement further fraud schemes accordingly.
Phishing & Malicious Emails
Hackers could also use the exposed emails and other PII data to create highly effective phishing campaigns against targets.
Such emails could encourage victims to provide private, financial data to cybercriminals. Alternatively, they could be prompted to click on a link that embeds malicious software on their devices, such as spyware, ransomware, and malware.
As the database also contained records of welcome emails to new users, hackers could easily copy these templates to create incredibly convincing, fraudulent emails.
The PII of Le Figaro employees, also exposed in the database, could also be used in phishing campaigns against the company itself. If an employee were to click a link in an email embedding with malware, it would put the entire company at risk.
More Attacks on the System and its Users
The exposed database was an excellent asset for anyone trying to attack Le Figaro’s backend systems. It could be leveraged in further cyberattacks against the company, or to expose other flaws in their system, which could put both the company and its users at risk.
Safety of Le Figaro Journalists
The leak also compromised the privacy and safety of Le Figaro’s journalists by exposing their email addresses to the public. Such information can be used to threaten and abuse journalists online, find out private information about their personal lives, and dox them on social media platforms, exposing them up to exponentially worse dangers.
Preventing Data Exposure
How can you prevent your personal information from being exposed in a data leak and ensure that you’re not a victim of attacks if it is leaked?
- Be cautious of what information you give out and to whom.
- Check that the website you’re on is secure (look for https and/or a closed lock with no warning).
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.).
- Create secure passwords by combining letters, numbers, and symbols
- Do not click links in emails unless you are sure that the sender is legitimately whom they represent themselves to be.
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust.
- Avoid using credit card information and typing out passwords over unsecured WiFi networks.
- Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware.
SafetyDetectives.com is the world’s largest antivirus review website. The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data.
Published on: Apr 30, 2020