Love quests, love and find your personal data in public

A few days ago exactly what happened in the title happened to me. Back in 2014 (namely, on December 28 at 17:00), my wife and friends played the collector's performance quest from Claustrachobia and forgot about it a long time ago, but Claustraboya reminded of itself in a very unexpected way.

But in fact, here is our photo, which was found in the public domain (my back, the rest of the faces are distorted for this article) ...

Disclaimer: All information below is published for educational purposes only. The author did not get access to personal data of third parties and companies. The information was taken either from open sources, or was provided to the author by anonymous well-wishers.

A two-index Elasticsearch database, allegedly belonging to Claustrophobia (claustrophobia.com), was found in the public domain.

index docs.count store.size phobia-master 1068927 3.2gb phobia-sandbox 55 2.9mb 

Anyone knowing the IP address could easily access the data through a normal browser using the basic query language Elasticsearch .

Judging by the data from the search engine Shodan, the database was first discovered on 03.02.2019 03:09:00. Access to it was closed on 03/31/2019, after my notification (via email and via Facebook), between 12:00 and 16:30 (MSK).

In total, Shodan fixed this base 6 times:

 03.02.2019 03:09:00 03.02.2019 19:39:00 01.03.2019 12:10:00 03.03.2019 19:55:00 09.03.2019 05:41:00 23.03.2019 13:07:00 

About how open databases Elasticsearch is discovered, I wrote a separate article.

The database contained data (just over 1 million records) for orders:

• order date
• Quest date and time
• Quest name
• Place (country and city) quest
• Name, phone and email of the person making the order
• Cost (including prepayment, discounts and promotional codes), currency of payment and type of payment (cash, card)
• Quest time
• Number of players
• Link to a joint photo of the quest participants

The information for the period from 2013 to 2019 was from different countries:

• Russia
• Ukraine
• Belorussia
• Estonia
• Germany
• Spain
• France
• Holland
• Italy
• etc.

For example, in Germany there were more than 10 thousand records.

Our 2014 quest looked like this:

  { "_index": "phobia-master", "_type": "model-Game", "_id": "105352", "_score": 10.159659, "_source": { "comment": "", "suspicious_cancellation": false, "promo_code": "", "photo": "https://.../.../.../28.12-17.jpg", "book_source": { "ru": "", "fr": "Site internet", "en": "Web-site", "nl": "", "be": "", "tr": "", "ca": "Página web", "de": "Internetseite", "db": "site", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "Lehekülg", "az": "Sayt", "ua": "", "es": "Página web" }, "client_tickets_count": null, "currency": "₽", "result": null, "language_code": null, "owner": { "phone": "+7…", "nickname": "… …", "id": 38284, "profile_type": "everyone", "email": "…@gmail.com" }, "id": 105352, "refused_to_photo": null, "not_completed": null, "confirmed": false, "extra_price": 0, "branded_photo": null, "booking_price": 12000, "call_center_comment": null, "cert_id": 0, "status": { "ru": "", "fr": "Réussi", "en": "Completed", "nl": "", "be": "", "tr": "", "ca": "ompletat", "de": "Absolviert", "db": "completed", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "Läbitud", "az": "Keçilmişdir", "ua": "", "es": "Completado" }, "booked_by": null, "investigated": "no", "brand_logo": { "ru": "", "fr": "", "en": "", "nl": "", "be": "", "db": null, "ca": "", "de": "", "tr": "", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "", "az": "", "ua": "", "es": "" }, "gamers_count": 4, "tickets_count": 0, "partial_prepay": true, "payment": { "ru": "", "fr": "en ligne ", "en": "online", "nl": "online", "be": "", "tr": "Online", "ca": "Online ", "de": "Online-Zahlung", "db": "online", "it": "online", "sk": "online", "ar": "دفع الكتروني", "th": "ออนไลน์", "sl": "", "cs": "", "et": "Online", "az": "onlayn", "ua": "", "es": "Online" }, "promocode_type": null, "lacking_sum_paid": false, "prepay_price": 3000, "booking_time_local": "28.12.2014 12:36", "hints_count": null, "booking_id": "PER 14 54 814", "booking_time": "2014-12-28T09:36:13+00:00", "timeslot": { "start": "2014-12-28T14:00:00+00:00", "price": 6000, "start_local_date": "28 ", "id": 95759, "caption": ": 28.12.2014, 17:00", "es_start_local_date": "2014-12-28", "quest": { "rating_positions": [ 486, 486 ], "id": 108, "name": { "ru": "", "fr": "", "en": "The Collector", "nl": "", "be": "", "db": "", "ca": "", "de": "", "tr": "", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "", "az": null, "ua": "", "es": "" }, "location": { "city": { "timezone": "Europe/Moscow", "country": { "iso_code": "ru", "id": 1, "name": { "ru": "", "fr": "", "en": "Russia", "nl": "Rusland", "be": "", "db": "", "ca": "", "de": "Russland", "tr": "", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "", "az": null, "ua": "", "es": "" } }, "id": 1, "name": { "ru": "", "fr": "", "en": "Moscow", "nl": "", "be": "", "db": "", "ca": "", "de": "Moskau", "tr": "", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "", "az": "", "ua": "", "es": "" } }, "id": 55, "name": { "ru": "", "fr": "", "en": "", "nl": "", "be": "", "db": "", "ca": "", "de": "", "tr": "", "it": "", "sk": "", "ar": "", "th": "", "sl": "", "cs": "", "et": "", "az": null, "ua": "", "es": "" } } }, "prices_by_tickets_count": null, "start_local_dt": "2014-12-28T17:00:00+03:00", "start_local": "28.12.2014, 17:00" }, "cancellation_reason": null, "cancellation": { "ru": "", "fr": "non", "en": "no", "nl": "nee", "be": "", "tr": "hayır", "ca": "No", "de": "nein", "db": "no", "it": "no", "sk": "nie", "ar": "لا", "th": "ไม่", "sl": "", "cs": "", "et": "pole", "az": "", "ua": "є", "es": "no" } } } 

To the credit of “Claustrafobias”, it must be said that they were among the small number of companies that respond to reports of potential data leakage and thank the researchers:

Good day! I am writing to you from a company already known to you Claustrophobia. We received your Facebook message about the risk of data leakage, for which I want to thank you separately! In gratitude, we invite you to become one of the testers of our future games. If you agree, please send me your contact information: email and telephone. We will invite you when the tests will be conducted! Thanks again for your help;)

News about information leaks and insiders can always be found on my Information Leaks Telegram channel.