French Civic Service exposes 1.4 million user records on the web, including volunteers’ personal details
A 5.0GB database belonging to the French Civic Service exposed nearly 1.4 million records on the web without a password or any authentication required to access it, Comparitech researchers report. The Agence du Service Civique recruits 19–25-year-olds for volunteer work.
The database included hundreds of thousands of contract details for volunteers in the program, plus more than 1 million names, email addresses, and passwords of users who signed up through the website.
Comparitech’s security research team, led by cybersecurity expert Bob Diachenko, discovered the database on May 30 and reported it to the French Civic Service the same day. The organization acted quickly and secured the exposed server a few hours later.
The French Civic service told Comparitech in a statement that a subcontractor had exposed the database of former volunteers:
The “Agence du Service Civique” was alerted on Saturday 30 May at 3.30 pm that a security breach was detected in the system of one [of] our subcontractors and had allowed access to a personal database of former volunteers with the French Civic Service. Immediately, the “Agence du Service Civique” did everything that what necessary to find the origin of the breach and secure it. Access was blocked on Saturday 30 May at 7pm.
It was a test platform, not our website, on which one of our subcontractors had loaded our database without a proper secure system on May 25th. Our investigation on the history of unauthorized access on this database shows that, to the best of our knowledge, no malicious intrusion occurred on the platform.The incident report has been sent to French authority CNIL “Commission nationale de l’informatique et des libertés” and the Ministry in charge was permanently informed during our investigation. A full audit of all our systems will be launched. We are committed to keep our awareness raised about cyber hygiene.
Timeline of the exposure
The database was exposed for five days in total:
May 25, 2020: A subcontractor working on behalf of the French Civic Service deployed the database
May 27, 2020: The exposed database was indexed by search engine Shodan.io
May 30, 2020: Diachenko discovered the database and reached out to French security researcher Baptiste Robert, who helped bring the incident to the attention of the French Civic Service
May 30, 2020: The exposed data was secured about three hours after Diachenko’s disclosure
Although the French Civic Service stated that no malicious intrusions occurred, we cannot confirm whether any other unauthorized parties accessed the data. What data was exposed?
The open and unprotected MongoDB database contained several sets of data, including:
373,892 volunteer details, including ELISA contract information. ELISA (Local Extranet for Compensation and Monitoring of Volunteer Reception in Civic Service) is the system used to authorize organizations that wish to hire volunteers through the French Civic Service and manage contracts and payment between those organizations and their volunteers. Information in these documents includes:
Full names of both parties
SIRET identification numbers
Terms of volunteer service
Internal documents and links
More than 1 million website user records including:
A directory of 1,913 high profile contacts including:
Dangers of exposed data
Although the French Civic Service says no malicious intrusions were detected, we strongly recommend impacted users and volunteer organizations take steps to protect themselves in case cybercriminals managed to steal the exposed data.
The leaked passwords are the most worrying. Affected users should immediately change their website login passwords. Additionally, if the same password and email combination were used on any other account or service, change those as well to prevent credential stuffing attacks.
Anyone whose contact information was exposed should be on the lookout for scam and phishing emails from criminals posing as the French Civic Service and related organizations.
Why we reported this exposure
Comparitech works with security researcher Bob Diachenko to find and report instances of personal data exposure online. On finding, for instance, an unsecured database full of sensitive information, we immediately begin trying to find out who the data belongs to, who may be affected, what type of information was exposed, and any potential ramifications that could occur as a result of this data being in the public domain.
Our goal is not to name and shame organizations for their security failings. Rather, it is to prevent people from becoming victims of identify theft, spear-phishing campaigns, and other malicious attacks as a result of having their data exposed. This is why, before making our findings public, we first coordinate with the database owners and ensure that the data is no longer accessible. Previous reports
This is far from the only instance of its kind. In the past, our team has discovered several similar incidents, including when:
42 million Iranian “Telegram” phone numbers and user IDs were breached
Details of nearly 8 million UK online purchases leaked
250 million Microsoft customer support records were exposed online
More than 260 million Facebook credentials were posted to a hacker forum
Almost 3 billion email address leaked, many with corresponding passwords
Detailed information on 188 million people was held in an unsecured database
K12.com exposed 7 million student records
MedicareSupplement.com made 5 million personal records publicly available
Over 2.5 million CenturyLink customer records were leaked
Choice Hotels leaks records of 700,000 customers