Researchers said they found a publicly available database that contains 28 million records – including plain text passwords, facial photos and personal information ̵
Researchers from vpnMentor reported on Wednesday that the database was used by the web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people who are authorized to enter warehouses, municipal buildings, businesses and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the US, UK, Indonesia, India and Sri Lanka.
According to vpnMentor, the 23 gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The tasks included usernames, passwords and user IDs in plain text, building access logs, employee registers including start date, personal data, mobile device data and facial images.
"Easily simple password"
"One of the more surprising aspects of this leak was how unsecured the passwords for accounts we were given," wrote vpnMentor Internet Privacy Researchers Noam Rotem and Ran Locar. "Many accounts had ridiculously simple passwords , like "Password" and "abcd1234". It's hard to imagine that people still don't realize how easy this is for a hacker to gain access to their account. "
The researchers also said the data included more than 1 Million records contain actual fingerprint scans. Wednesday's report provided no information to support the claim, and vpnMentor researchers did not respond to a request from Ars to send examples of records that included such scans. TechCrunch security reporter Zack Whittaker said on Twitter that his investigation of several distorted hashes was second to none.
Security experts agree that the The best way to store or transmit biometric data is to first scour it to prevent third parties from obtaining it in the event of a violation. If it turns out that the database contained more than 1 million actual fingerprints, it would be a serious infringement because it would expose the people to whom the prints belonged, and the companies for which they worked, to fraud. Fingerprints, unlike passwords, cannot be changed.
Some of the organizations whose information was public included:
- Uptown – Jakarta-based collaboration space with 123 users.
India and Sri Lanka
- Power World Gyms – Gyms with high-quality gyms with branches in both countries. We gained access to 113,796 user registers and their fingerprints.
- Global Village – An annual cultural festival with access to 15,000 fingerprints.
- IFFCO – Consumer Food Product Group.
Finland  Euro Park – Developers of parking spaces with locations throughout Finland.
- Ostim – Builders of industrial area.
- Inspired.Lab – Collaboration and design space in Chiyoda City, Tokyo.  Belgium
- Adecco Staffing – We found about 2,000 fingerprints linked to the staffing and human resources giant.
- Identbase – Data belonging to this supplier of commercial ID and access card printing technology was also found in exposed database.
Wednesday's report said that the researchers found the database through an Internet mapping project that scanned ports with known IP blocks for vulnerabilities.
"The team discovered that huge portions of BioStar 2's database are unprotected and mostly unencrypted," the researchers wrote. "The company uses an Elasticsearch database, which is usually not designed for URL use. However, we were able to access it through browsers and manipulate the URL search criteria to expose huge amounts of data."
In addition to storing the information in a vpnMentor researchers said that world-readable database, Suprema also allowed records to be added, deleted or changed. This opened the possibility for entries to be added for unauthorized access to sensitive websites. It also opens the door to identity theft, phishing attacks, blackmail and blackmail.
The VpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later. The data was not protected until Tuesday, six days later. Representatives of Suprema did not respond to a request for comment on this story.