The public account data of users of the free and open-source self-hosted social networking platform ‘Mastodon’ were exposed publicly after a misconfigured Elasticsearch server was found scraping these data and the users’ public posts.
Over 150,000 Mastodon user information has already been exposed by the misconfigured Elasticsearch server, with researchers noting that these exposed data are publicly available without security authentication. Any entity that knows how to operate the search engine ‘Shodan’ can freely access the exposed information without any login credentials.
Researchers have yet to identify how long the misconfigured Elasticsearch server has been scraping the data of Mastodon users.
The compromised Elasticsearch server that exposed users’ data is owned by a third party and not affiliated with official Mastodon servers, as confirmed by a threat analyst. First spotted on November 15, this server has actively scraped the information of Mastodon users. However, the analyst said it remains unknown how long it has been collecting data.
Some of the exposed information of the Mastodon users include account names, display names, profile display photos, following and follower counts, and last status updates. It must be noted that no email addresses or login credentials are involved in the data compromise. Nonetheless, Mastodon users are still warned to remain cautious about what they share publicly online, as this information can be collected and used for malicious intent.
On the other hand, analysts have yet to discover who owns the misconfigured Elasticsearch server. Thus, since there is nobody to reach out to regarding unauthorised data collection, the amount of exposed user information is expected to grow.
Mastodon is an open-source and decentralised social network service launched in 2016. This platform also stands as an alternative to Twitter, without a central server controlling its network, thus making it more resilient to censorship and manipulation.
Additionally, since Mastodon is open source, anyone can freely contribute to its software development.
