Cyber Incident Victim: LimeLeads
Date:
Jul 2019
Location:
United States of America
Summary
A US-based business data broker experienced a significant data exposure when an internal Elasticsearch server was left publicly accessible without authentication, allowing unauthorized access. Security researchers identified the breach after the server was indexed by a search engine, prompting the company to secure the system promptly. However, a known threat actor had already obtained and subsequently sold the stolen database containing millions of business contact records, including names, email addresses, company details, and financial information. The compromised data poses a high risk of facilitating targeted phishing attacks against affected organizations and individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The LimeLeads incident originated from an unsecured Elasticsearch server that was publicly accessible without authentication. Security researcher Bob Diachenko identified the exposed server, which had been indexed by search engine Shodan as an open system since at least July 27, 2019. The San Francisco-based B2B leads generator maintained this server containing critical customer data, which included business contact information used for sales operations. Diachenko notified LimeLeads of the exposure on September 16, 2019, prompting the company to secure the server within one day. Despite this rapid remediation, threat actor Omnichorus had already obtained the dataset prior to the server being locked down.
Omnichorus subsequently advertised the stolen data for sale on underground hacking forums starting in October 2019. The dataset contained approximately 49 million records with detailed business user information including full names, job titles, email addresses, company names, physical addresses, phone numbers, website URLs, company revenue figures, and employee count estimates. Security analysts confirmed Omnichorus's established reputation as a "data trader" specializing in distributing compromised information. The exposure created significant risks for spear-phishing campaigns targeting corporate entities, as the verified contact details provided attackers with credible vectors for malicious outreach. LimeLeads did not publicly disclose whether they conducted additional forensic investigations or notified affected customers beyond securing the server in response to Diachenko's alert.