Tens of thousands of websites vulnerable to data breaches

Over 58,000 unique websites from around the world are vulnerable to data breaches and even complete takeovers according to new research.

The Cybernews research team has investigated publicly exposed environment files (.env) that should be kept private and protected at all costs. These files hold passwords, API keys, and other secrets that websites need to access databases, mail servers, payment processors, content management systems, and various other services.

A scan of publicly available indexes reveals thousands of website owners leaving their most precious keys unprotected. These websites are vulnerable to unauthorized access and data breaches, and mean that visitors are also exposed to danger.

The analysis of the most up-to-date indexes of environment files reveals in a dataset of 1,141,004 secrets cumulatively exposed from 58,364 unique websites. The most commonly exposed secret is database credentials, present in the .envs of over 27 thousand websites. In such cases, only 12 percent of the databases were hosted remotely, likely allowing for easy credential exploitation.

"Databases often store a lot of sensitive information such as users' private information or admin account information. Database credentials being leaked can expose the website's users' names, addresses, passwords, orders, actions, etc," Cybernews researchers note.

The second most frequently leaked secret type is application keys, which are usually used to encrypt and decrypt cookies and other sensitive information.

Email credentials were found to be present in over 10,000 websites. These could be used in account takeover attempts and also in phishing campaigns to make messages look more legitimate.

Other exposed data includes credential for Mautic -- a marketing automation platform -- AWS keys. The research team found a few hundred API keys used to access payment processors too, including 140 valid Stripe API keys and over 100 PayPal API keys.

Most of the affected websites (17,990) are hosted in the United States. However, secrets are leaking on websites from all over the world. Cybernews researchers discovered 7091 misconfigured websites from Germany, 3290 from India, and 2916 from France. Other countries with over 1,000 leaking websites are Singapore, China, the United Kingdom, the Russian Federation, Japan, and the Netherlands.

The researchers add, "It's estimated that there are around 1 billion websites on the internet, of which only 200 million are active. This could suggest that we’re exploring only a small fraction of a percentage, or 0.0002 percent, of the total web. However, this is only the information gathered from public indexing services without connecting to any vulnerable servers in any way."

You can get full details of the research on the Cybernews site.

Image credit: nmedia/depositphotos.com