If you’re a Twitter user, you’ve probably heard of Mastodon, a free open-source software with similar micro-blogging features. Recently, independent security researcher Anurag Sen has found that an active Elasticsearch server has been scraping the information of over 150,000 Mastodon users since at least Nov. 15.
The scraped data includes:
- Display and account names
- Profile pictures
- Following and follower count
- Last status update
It’s not clear how long the server has been scraping user information, but Sen noted it’s actively logging records without requiring password authentication.
For the moment, no email addresses, passwords or phone numbers have been found. However, Mastodon users should exercise caution when making any information on their profile public.
As noted by Hackread.com, the researcher explained that the misconfigured server is not linked to any of Mastodon’s hosting software.
Sen also said he has not yet been able to identify the owner of the misconfigured Elasticsearch cloud bucket that is allowing any tech-savvy individual to access users’ info.
Scraped data from social media networks can put users’ privacy at risk in many ways. While Mastodon users need not fear immediate social engineering attacks leveraging email addresses and phone numbers, users should watch out for suspicious followers and direct messages. It wouldn’t hurt for users to also enable two-factor authentication on their accounts for an extra layer of security.
Use Bitdefender Digital Identity Protection to find out what key pieces of your digital identity have been exposed in data breaches or leaks over the year.
The service helps you take proactive measures to control, manage and protect your digital self with real-time notifications that alert you when your data ends up in legal or illegal data collections on the internet.
You also get expert recommendations to fix any privacy issue detected so you can stay a step ahead of malicious activity and protect your financial wellbeing.