News Data on the calls of thousands of Ringostat customers ended up online


Otto

Advanced
Joined
22.09.20
Messages
104
Reaction score
423
Points
63
The Elasticsearch server, which contains about 2 billion user records, was not password-protected.

An unsecured database of the Ringostat phone call tracking service, whose services are used by customers around the world, mainly in Ukraine and the Russian Federation, was discovered on the Network. A data breach has exposed the phone numbers, call recording, call logs and other information at risk of being compromised. The database contained millions of records and was accessible to any user. Access to the information did not require authorization, and the data itself was not encrypted.

A team of experts led by security researcher Ata Hakcil from WizCase discovered a database on the ElasticSearch server used by Ringostat and containing more than 800 GB of user data. As a result of the data leak, the records of 67 thousand Ringostat customers were affected. The leaked information included approximately 8 million voice recordings, 13 million phone numbers, and hundreds of millions of call logs and metadata. In total, about 2 billion records were publicly available.

Metadata include information such as, for example, phone number for outgoing and incoming calls, time stamps of calls, IP-address of the recipient, the duration of the call (both shared and paid), the name of the GSM operator and the client company, received a call.

Experts also found in the unsecured database payment records of the American company Stripe, including the user ID, IP address, port and time of the transaction. Stripe's customer information included company names, email addresses, number of emails, and phone numbers.

Currently, access to the database is closed.

Comment from Ringstat representatives: The author of the article took the information from the wizcase blog. Judging by the information on their website, wizcase is engaged in activities to find vulnerabilities in online products and use them to obtain private data.

In fact, by drawing attention to their project, they compromise the activities of other companies, ranging from online education services and dating services, and up to Microsoft.

For our part, we check the security of our data. But we can already say that there was no data leakage in the specified volume. The figures announced by wizcase do not correspond to reality.
 
Top Bottom