Thomson Reuters Leaked Over 3TB of Sensitive Data Including Server Passwords in Plaintext

The Cybernews research team noticed that Thomson Reuters left three of its databases publicly accessible which resulted in the leak of more than 3TB of sensitive customer and corporate data, including third-party server passwords.

Thomson Reuters Corporation is a Canadian multinational media conglomerate. The company is headquartered in Toronto, Ontario, Canada.

They provide customers with products such as the business-to-business media tool Reuters Connect, legal research service, and database Westlaw, the tax automation system ONESOURCE, an online research suite of editorial and source materials Checkpoint, and other tools.

 “The 3TB public-facing ElasticSearch database contains a trove of sensitive, up-to-date information from across the company’s platforms”, Cybernews report.

Reports say the data could be used by threat actors for a supply-chain attack. On the other hand, the company recognized the issue and fixed it immediately.

Based on the analysis of the size of the database, the company used ‘ElasticSearch’, a data storage favored by enterprises dealing with extensive, constantly updated volumes of data.

The company collected and exposed thousands of gigabytes of data, it is believed it would be worth millions of dollars on underground criminal forums.

Among the three databases, two were designed to be publicly accessible. The third server was a non-production server meant for “application logs from the pre-production/implementation environment.

Details of the Leak

According to the report, the logs in the open database hold sensitive information and could lead to supply-chain attacks if accessed by threat actors. The details were held in plaintext format, open to everybody.

“This type of information would allow threat actors to gain an initial foothold in the systems used by companies working with Thomson Reuters. A simple human error can lead to devastating attacks, from data exfiltration to ransomware”, Mantas Sasnauskas, the Head of Security Research at Cybernews.

The researchers also found login and password reset records in the open instance. The logs show the account holder’s email address and the precise time the password change query was submitted, but they do not reveal either the old or new passwords. The database contains more than 6.9 million unique logs.

Further, the open database contains an internal screening of other platforms such as YouTube, Thomson Reuters’ clients’ access logs, and connection strings to other databases.

 This exposure of connection strings is very unsafe since the company’s internal network elements are exposed.

“This instance left sensitive data open and was already indexed via popular IoT search engines. This provides a large attack surface for malicious actors to exploit not only internal systems but a way for supply chain attacks to get through”, Sasnauskas added.

Among the accessible databases, the third one is the ‘Non-production servers’ that usually don’t hold application data. However, that does not mean that the details stored there are less sensitive.

“This non-production server only houses application logs from the pre-production/implementation environment of that product and is only associated with a small subset of Thomson Reuters Global Trade customers,” the company explained.

The company mentioned that the now-closed server only captures data generated through user actions within the pre-production and implementation environment.

According to Martynas Vareikis, Information Security Researcher at Cybernews, “Having more details always helps malicious actors. Invoices infected with malware could cause huge losses for the clients if they were attacked by ransomware gangs”.

As a result, the company started an internal investigation to discover the source of the issue. Until now, the leading theory suggests that an “isolated error in the product environment resulted in the unintentional misconfiguration of the non-production environment”. The company declared that it has begun the process of notifying the affected customers.

Also Read: Download Secure Web Filtering – Free E-book