![](\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&iu=\/6978\/reg_security\/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33YssD0aaRtTwfFgGpQ5k6VwAAAEE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\")
<\/a> <\/noscript> <\/div>\nThe team added: “On the 1st of July, Alibaba made private or shut down all the Kibana servers running 5.5.3.”<\/p>\n
There is no indication that anyone other than the techie who set up this deployment was at fault for this security lapse. The software was hosted on Alibaba, and we have asked the cloud giant for its take on events.<\/p>\n
Bob Diachenko, owner of infosec research firm SecurityDiscovery, confirmed to The Register<\/i> that his findings married up with that of LeakIX. Diachenko’s company automatically detected the cluster on the open internet in April, we’re told, and made a note of the database indices, though it did not inspect the content. When free samples of the stolen data were made available, Diachenko was able to link references to indices in those samples to Elasticsearch indices logged by his systems earlier.<\/p>\n
“We constantly monitor exposures and misconfiguration on the internet, however, we do not actively look into Chinese IPs,” Diachenko told The Register<\/i>.<\/p>\n
“When I learned about the leak and studied the samples shared by a threat actor on an underground forum, I realized this data originated from an Elasticsearch Kibana system, due to the names of the indices. I searched our internal reports and was able to confirm an exact match of the indices names.”<\/p>\n
According to Diachenko, the cluster was ransacked by someone around mid-June who destroyed the data, leaving a ransom note demanding 10 BTC in its place. He issued the following advice via Twitter:<\/p>\n