The owners of World-in-HD (WiHD), a private torrent tracker that offers pirated movies in HD format, left an Elasticsearch database containing sensitive user information.
Many people are no doubt familiar with public trackers such as The PirateBay, which has been active for years. But some private trackers only allow users with invitations to join and require credentials to access the site, making it part of the Deep Web. This means that search engines do not index the website's content.
For some unknown reason, the owners of WiHD left an Elasticsearch database containing user data open and available to anyone, and it wasn't even password-protected. ElasticSearch lets administrators parse large databases quickly. Unfortunately, leaving the database easily accessible from anywhere without credentials is a mistake made too often.
According to a Cybernews report, data of almost 100,000 accounts was exposed, including the following info:
Several security risks stem from this data breach. Firstly, around 40 percent of users tend to reuse the same password on multiple online services, which means that this data breach will likely impact various unrelated services as well.
Secondly, the information taken from the database includes users' behavior on a website used to pirate multimedia content. The same users will be open to blackmail and phishing attempts from potential attackers.
WiHD eventually removed outside access to the database, but it's impossible to tell how long the information was exposed and how many times it was downloaded over time.