French news site L'Express exposed reader data online

French weekly news magazine L'Express left a server containing a database of its readers exposed online for weeks without a password, ZDNet reports.

Even after the Paris-based magazine was warned of the exposure, the database wasn't secured for another month, leaving its contents accessible and downloadable by anyone, including hackers that made several attempts to ransom the data.

Mickey Dimov, a Florida resident and recent high school graduate who now works in security operations for a major defense contractor, told ZDNet that he found the database by chance. At about 60 gigabytes in size, the database was packed with data on over 693,000 readers, and other information critical to the magazine's online operations.

Through an intermediary, Dimov contacted the company in January. After hearing nothing back, he contacted ZDNet, which also alerted the magazine to the exposure.

During the month Dimov was waiting to hear back from the magazine, he witnessed the MongoDB database be hit by criminals who tried multiple times to steal the data and hold it to ransom for bitcoins, a common technique used by scammers against open and exposed databases.

Dimov kept tabs on the database.

"I was progressively more and more frustrated about the lack of communication," he said. "This got kind of personal for me."

After criminals began targeting the database, Dimov fought off ransom attacks by duplicating and restoring the tables, preventing any data loss. Based on the table history, attackers may have tried to ransom the database more than a dozen times.

"I did not want this data to be deleted because I was worried that it was hooked to their website and infrastructure in a major way," he explained. "There were a lot of collections that looked like they were critical to the front page [and] to the alert system they used to push out news."

When reached last week, L'Express editor-in-chief Emma Defaud confirmed the data leak in an email to ZDNet, and said she was "grateful" for the report. "It has been corrected," she said.

In a later, follow-up email, she said, "L'Express has been victim of unauthorised intrusion into one of [our] servers," and downplayed the potential impact, saying the server was "inactive" and used in the past "to run tests on."

ZDNet obtained a portion of the database to verify. Each record had a reader's first name and surname, email address, and profile photos, and their job titles, along with other information associated with each user's online readership profile.

Defaud confirmed that neither passwords nor bank details were stored in the database.

"The data contained on that server is old," Defaud explained. "The data is accounts created on a service that's now terminated, namely communaute.lexpress.fr. The accounts were created in 2016, by people either willing to post a comment or keen to receive our newsletter."

A closer examination of the database records, however, showed otherwise. The most recent entry in the database was timestamped February 20, 2018. That is consistent with the ability to create a new membership account by accessing communaute.lexpress.fr which redirects to a fully-working and operating L'Express service.

Existing French legislation requires that any personal data collected for a service that no longer exists should be removed or fully anonymized. If the service had since been terminated as Defaud said, that doesn't explain why L'Express held onto the data -- something we asked about, but received no response to.

Compared to other data breaches, the kind of data exposed by L'Express may not be seen as high-risk information. But the French Supreme Court in 2016 ruled that political opinions can be considered "sensitive" personal data and require greater protections. Given news outlets in France have known political leanings, a case could be made that paying a subscription to a left-leaning or far-right-leaning outlet could reveal a person's political opinions. When contacted, French data protection authority, Commission Nationale Informatique et Libertés (CNIL), would not clearly say if the data is seen as sensitive or not.

l.12-.057c.834-.407 1.663-.812 2.53-1.211a42.414 42.414 0 0 1 3.345-1.374c2.478-.867 5.078-1.427 7.788-1.427 2.715 0 5.318.56 7.786 1.427z" transform="translate(-128 -243)"/>