Telegraph Data Leak Exposes 10 TB of Sensitive Subscriber Data

When we consume the news to stay informed about the latest world events or the political unrest in our own backyards, the last thing we expect is the possibility that our personal data will be stolen. Imagine reading the latest headline about a data breach, only to receive a notification the very next day that your data has been compromised. What are the odds? Well, it turns out, those odds are pretty good.

On October 5, 2021, The Telegraph, one of the UK’s most popular and largest news media outlets, suffered a data leak that exposed 10 TB of subscriber data after failing to properly secure one of its databases. 

According to Bleeping Computer, the leaked information included “internal logs, full subscriber names, email addresses, device info, URL requests, IP addresses, authentication tokens, and unique reader identifiers,” all of which put the impacted subscribers at risk of being scammed, phished via email, or worst yet – having their data sold on the dark web. 

In particular, the leaked URL requests pose an extreme privacy risk as an attacker could “use them to construct the users’ browsing history on the news platform.” In addition, stolen authentication tokens could affect The Telegraph’s recurring revenue stream as non-subscribers could use them to access content that normally would be behind a paywall. 

The unprotected database was first discovered on September 14 by researcher, Bob Diachenko. At the time of discovery, at least 1,200 contacts were confirmed to be unencrypted, and therefore, accessible without a password. Worst yet, many of these cases included Apple News subscribers who had their passwords exposed in plain text. 

Though The Telegraph was immediately notified of this security vulnerability, it took them two full days to respond to the incident and secure the database. On top of that, the database was left unprotected for at least three weeks – more than enough time for an attacker to find the unsecure database, exfiltrate the contained data, and put the lives of innocent subscribers at risk. 

With Dasera, The Telegraph could have identified the unprotected database to ensure that it was properly configured. An easy fix like this can save the lives of millions. For more information on how to secure your data, visit www.dasera.com

Author

Tu Phan