UK newspaper *The Telegraph* exposed to his first ever giant data leak
UK newspaper *The Telegraph* exposed a 10-terabyte database of logging information on the web without a password or any other authentication required to access it. Among the internal logs, the data included names, email addresses, device info, URL requests, IP addresses, and unique identifiers of readers and subscribers on *The Telegraph*.co.uk website.
Bob Diachenko found the unprotected database on September 14, 2021. After identifying *The Telegraph* as the owner, he immediately sent an alert as per our responsible disclosure policy.
The data was secured on September 16, 2021, but now we can take a look on what was leaked.
Table of Contents
Here's what we know happened:
- September 14, 2021: Diachenko found the data and sent an alert to **The Telegraph*.*
- September 16, 2021: After not receiving a response, Diachenko tweeted an alert message to get *The Telegraph*'s attention. A representative from the newspaper's security team acknowledged the incident and secured the data later that day.
Evidence suggests the data was left unprotected for about three weeks, since September 1st. We do not know if any unauthorized parties accessed it during that time, but our honeypot experiments show attackers can find and steal data from unprotected databases in just a few hours after they're exposed.
The data was generated from an internal logging server for *The Telegraph*.co.uk website. The exposed Elasticsearch cluster contained about 10TB of data, which is quite large. We only browsed a sample of the data and didn't download the entire set, so we don't know exactly how many people are affected.
Additionally, a significant portion of the records were encrypted, but we don't know exactly how many - according to *The Telegraph*, there were 1200+ unencrypted contacts across registrants and subscriber, with some Apple news subscribers or registrants passwords.
The records with users info contained some or all of the following info:
- URL requests (telegraph.co.uk browsing history)
- Cookie info, including:
- First and last name
- Subscriber status
- User device, operating system, and version
- TS number (this is a unique identifier but we don't know it's purpose)
- IP address
Notably, some government email addresses with the @gov.uk domain were exposed in plain text.
No email verification is enabled on their site...
Aside from user records, we also found logs of AccessIDs and requestIDs (authentication tokens).
*The Telegraph* website visitors should be on the lookout for targeted phishing and scams. Names and emails in the database can be used to send readers targeted scam messages. Scammers will likely pose as *The Telegraph* or a related organization.
We recommend never clicking on links or attachments in unsolicited email.
Researchers weren't certain of what the access tokens were used for, but we surmise they are used to access subscriber-only content. They could be stolen and used by non-subscribers.
Snoopers could use the URL request to amass a browsing history of which articles a person has read on *The Telegraph*'s website, which could be a privacy concern for some readers.
*The Telegraph* provided us with the following statement:
We became aware of this discovery on 16 September and took immediate action to secure the data.
An investigation showed that only a small number of records were exposed - less than 0.1% of our users and we have contacted all the users to advise them. The investigation also concluded that whilst the data was exposed it was not breached other than the discovery posted by the researcher.
We are grateful for the work of independent researchers who responsibly disclose vulnerabilities and exposures and who are vital in our continued work to protect our assets.
*The Telegraph*, also called *The Daily Telegraph* is a London-based newspaper distributed worldwide. It was founded in 1855 and has a conservative lean. Its website, telegraph.co.uk, publishes under the same name.
The newspaper has more than 600,000 subscribers as of 2021.
The company has no other major data incidents on record.