According to vpnMentor, the data appears to have come from multiple sources including Ecuadorian government registries, an Ecuadorian national bank and an automotive association.It even includes detailed information about individuals' family members.vpnMentor notified Ecuador's Computer Emergency Response Team, and the breach was closed on September 11th.
The pair said they had found the 18GB of data spread across a variety of files saved on an unsecured server set up and run by Novaestrat - an Ecuadorean marketing and analytics company.
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
The researchers in question, Noam Rotem and Ran Locar from vpnMentor, found that a user database belonging to a Chinese company called Orvibo, which runs an Internet of Things (IoT) management platform, had been left exposed to the Internet without any password to protect it.
More than 685 million users may have been exposed to XSS attacks due to a flaw in Branch.io service used by Tinder, Shopify, and many others. “Digging deeper, we found out many big websites were sharing the vulnerable endpoint in their code and domains, including Shopify, Yelp, Western Union, and Imgur.