Elasticsearch Leak Exposes 6 Billion Records from Scraping, Old and New Breaches

A misconfigured Elasticsearch server holding 1.12 terabytes of data was leaking more than 6 billion records to public access without any security authentication or password. The server, apparently operated from Russia or a Russian-speaking country, contained detailed records collected through data breaches, website scraping and other sources before it was taken offline.

This was revealed exclusively to Hackread.com by independent cybersecurity researcher Anurag Sen, who initially spotted the exposed server. It remains unclear how long the data was exposed.

The screenshot below shows details of the exposed Elasticsearch server. The server’s index information revealed a total size of 1.12 terabytes containing over 6.19 billion records, confirming the scale of the data exposure. Sensitive server identifiers have been redacted for security reasons.

Credit: Hackread.com via Anurag Sen)

****What’s In the Data****

Although limited details are available, one of the screenshots from the exposed server showed records from a Ukrainian bank called Accordbank, officially known as “Commercial Bank Accordbank.” Inside, the researcher found a trove of banking, contact, and personally identifiable information (PII) of users stored in JSON format, including:

1. Full names
2. Phone numbers
3. Date and place of birth
4. National ID number or tax code
5. Passport numbers and issuing authority
6. Address (including city and street details.

(Note: Since other databases are involved, there is a chance they may contain additional data, including passwords.)

Here is a screenshot showing the structure of the exposed records linked to Accordbank. The original image is shown along with its English translation (via Yandex Image Translator) for better understanding:

Screenshot directly from the exposed server (Credit: Hackread.com via Anurag Sen)

Additionally, the exposed server also indexed databases and user details gathered from both announced and unannounced data breaches, along with records extracted through website scraping. This was confirmed by the researcher who examined the server before it was taken offline, although screenshots of those specific datasets could not be obtained in time.

****Cybercriminals Leaking Their Own Server?****

This may be a case of cybercriminals accidentally exposing their own data and then securing it once they realised their mistake. However, this isn’t the first time such an incident has occurred.

In December 2024, as reported by Hackread.com, researchers found a misconfigured AWS S3 bucket believed to belong to the hacker groups ShinyHunters and Nemesis, who were allegedly working together at the time. The bucket contained stolen data, hacking tools, and even potential information about the hackers themselves, which was later reported to the AWS fraud team.

****Server May Have Been Accessed by Other Cybercriminals****

While Sen could not confirm whether the misconfigured server was accessed by a third party with malicious intent, Hackread.com’s own research suggests possible signs that a server owned by cybercriminals may have been accessed by other cybercriminals.

During the investigation, Hackread.com found a thread on DarkForums, the successor to the now-defunct Breach Forums, where a user going by the alias “tRex_Prime” was offering data records spread across more than 6,000 CSV files. The thread was titled “6k+ CSV Leak Database,” detailing 2,356 files with names. Each CSV file was labelled with either a company name or a tag indicating what the data belonged to.

Among the listed files was one named Accordbank (accordbank.com.ua.csv). Since there are no public reports linking Accordbank to any previous data breaches, it is reasonable to assume that these 6,000+ CSV files were extracted from the misconfigured Elasticsearch server containing 1.12 terabytes of data.

Data being sold by the threat actor (Image credit: Hackread.com)

Hackread.com attempted to contact “tRex_Prime,” but their Telegram account was unavailable at the time of writing, and their forum profile had been banned for “selling public databases.“ The list of 2,356 files is available here (PDF).

****What Users Should Do****

Unfortunately, Hackread.com cannot confirm all the companies or individuals whose data may have been included among the 6 billion records. However, the safest approach is to monitor your email accounts, avoid clicking on links or downloading attachments from unknown senders, and ignore suspicious messages sent to your phone.

In the coming days, if you hear about a data breach involving Accordbank, this exposure could explain its potential origin. Accordbank users are therefore urged to take extra caution, contact the bank, and inquire about any possible breach of privacy or personal data.