Keepnet kerfuffle: Firing legal threats at bloggers did infosec biz more damage than its exposed database

Comment UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers' letters to bloggers in a bid to erase their reports of its blunder.

A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around five billion harvested records to the public internet, the firm admitted in a statement yesterday.

The database was indexed by a search engine, and came to the attention of noted infosec blogger Volodymyr "Bob" Diachenko, who wrote it all up. Keepnet disputed Diachenko's initial characterisation of the breach, and things spiralled from there.

As reported by news website Verdict, Keepnet was stung by Diachenko's initial post about the gaffe, which Keepnet interpreted as the blogger blaming the business for leaking its own customers' data – none of its own clients' data was exposed, but rather info from previous publicly known database exposures. Diachenko said the database contained email addresses, hashed passwords, the sources of the information, and other details, all gathered from previous leaks by hackers.

What actually happened, Keepnet later insisted, was that a contractor had screwed up by turning off a firewall. The 867GB database, claimed Keepnet, contained email addresses harvested from other data spillages that took place between 2013 and 2019.

"As part of the Keepnet Labs Solution, we provide a 'compromised email credentials' threat intelligence service. To provide this service, we are continuously collecting publicly known data-breach data from online public resources. We then store this data in our own secure Elasticsearch database and provide companies with the information relating to their business email domains via our Keepnet platform," the firm insisted.

Nonetheless, Keepnet responded to the bloggerati by sending lawyers' letters to all and sundry, demanding its name be removed from the posts about the prone Elasticsearch database. Unfortunately for Keepnet, one of those letters landed on the doormat of veteran infosec scribbler Graham Cluley. Not one to be cowed, Cluley removed the firm's name from his blog post – then tweeted about it.

Following a legal threat from ███████ ████ I have removed their name from this article on my site:https://t.co/kQOzgzoVHa

I hope readers will accept my apologies for what is clearly unsatisfactory, but I can ill-afford to get embroiled in a legal fight. pic.twitter.com/zcIkqirwb9

— Graham Cluley (@gcluley) June 3, 2020

In a subsequent post about the kerfuffle, Cluley said: "I gave Keepnet Labs multiple opportunities to tell me what was incorrect in my article, or to offer me a public statement that I could include in the article. I told them I was keen to present the facts accurately." This is best practice for bloggers and standard practice for reputable news organs.

El Reg has received its fair share of lawyers' letters commissioned by red-faced company execs determined to disrupt and deter news reporting of their doings. The letter sent to Cluley (seen by The Register and screenshotted at the link just above) seemingly complained that Cluley had defamed the company. It called out words that weren't actually in his blog post; cited part of an EU directive that has nothing to do with defamation law either in the political bloc or in the UK as justification; and threatened legal action, injunctions, costs and damages (£££) unless the entire blog post was deleted.

Whether the Elasticsearch database truly was exposed for just 10 minutes as Keepnet claimed, and whether those 10 minutes were long enough for it to be indexed, that index to be seeded through BinaryEdge, Diachenko to notice the new result, click around as required, download 2MB of it, inspect the download and then figure out who owned the database, is all moot. Keepnet's actions after the discovery eclipsed the original screw-up completely.

An unrepentant Keepnet said in its statement: "We have been working over the past few months to get in contact with the authors of posts who have shared inaccurate aspects of this story and have politely asked them to update their articles," which is a funny way of saying "hired a lawyer to threaten a defamation lawsuit unless the posts were deleted." This was only ever going to produce one result, and not the one Keepnet wanted.

As Cluley put it: "Security firms should be examples for all businesses on how to behave after a security breach. Transparency, disclosure of what went wrong, and what steps are being taken to ensure that something similar doesn't happen again are key to building trust and confidence from customers and the rest of the industry."

For what it's worth, El Reg didn't cover the breach at the time it was first reported because, well, it involved public information becoming public again. It is to be hoped that Keepnet's entirely self-inflicted reputational harm here teaches its founder a sharp and valuable lesson.

Keepnet did not respond last week when we asked the firm for comment. ®