Kanopy streaming service database has leaked up to 40 million log records of movies viewed by users

Free video streaming service Kanopy has allowed a large-scale data leakage of its users. Error configuring a web log database opened public access to its content without authentication. Leak discovered information security researcher Justin Payne (Justin Paine).

According to the expert, starting from March 7, from 26 to 40 million log entries from the database could get into public access.
')

What happened

The Kanopy service enters into agreements with libraries and community organizations to provide users with free access to older films, documentaries, and other types of video content.

The leaked logs contained a large amount of information about users, including geolocation, timestamps, device type, IP address and URL of the pages they requested. Payne is sure that all this is enough to reveal the identity of the end user of the resource. Also potential attackers could find out what content a person was browsing online.

At the moment, the error has been fixed, there is also no information that anyone has tried to use the information that has been made publicly available for unfair purposes. At the same time, Payne believes that, depending on what the user was watching, potential attackers may try to blackmail.

Not just Kanopy

Leaks of this kind in recent times occur more frequently. So in the spring of 2019, the Facebook social network recognized the fact of storing the passwords of millions of users in an unencrypted form, last year the Instagram-owned photo service Instagram also experienced a data leak. The developers of games from Bethesda also admitted that they made an accidental leak of players' personal data in Fallout 76.

During incident investigation projects and during traffic analysis, we regularly find typical errors in information system configurations and violations of corporate regulations on information security. In 9 out of 10 organizations, regardless of their size and scope of activity, there are both passwords that are transmitted in open form, and the use of remote access utilities. All this seriously increases the chances of hackers to break into and develop an attack.

On Thursday, April 11, at 14:00 , during the free webinar, Positive Technologies experts will sort out the most popular configuration errors and infringements of the information security regulations and show how to quickly detect them using the PT Network Attack Discovery traffic analysis system. Students will also learn what to do to improve network hygiene in the organization. We invite network administrators, information security specialists and their managers, as well as Positive Technologies partners.

To participate in the webinar you need to register .