Thai Telco leaks 3.3 billion DNS queries via ElasticSearch databasedatabase

A security researcher has found an open ElasticSearch database containing browsing data from millions of Thai telecom customers. The database contained 3.3 billion DNS queries and 5 billion rows of NetFlow data.

Security researcher Justin Paine, who discovered the leak, says the database contains data from Advanced Info Service, Thailand’s largest telecom provider. The researcher discovered an ElasticSearch database through search engines Shodan and BinaryEdge that did not contain a password. The database was spread over three different ElasticSearch servers.

In total, Paine found 8.3 billion records in the database. It consisted of 3.3 billion DNS queries, and 5 billion rows of NetFlow data. NetFlow is a network protocol from Cisco with which IP data can be collected. A week after the database was put online, the administrators stopped logging the DNS queries. The discoverer says it is not clear why. The NetFlow data kept logging constantly.

Paine could see not only what websites someone was visiting, but also what devices they were using on their network, and in some cases things like what software someone had on their device. The latter was possible because, for example, queries were made by users to templateservice.office.com or to play.googleapis.com.

According to the researcher, the ElasticSearch server appeared on the Internet on May 1 of this year. He found it there on May 6. After Paine discovered the database, he notified the provider on May 13, but they did not respond. Paine then made a report to Thailand’s Cyber ​​Security Center ThaiCERT. That contacted the provider, after which the database was taken offline.