An Elasticsearch server is currently scraping posts and public account information on Mastodon users. So far, information of over 150,000 Mastodon has been scraped and the process is ongoing. But what’s worse, the server is exposing the logged records to public access without any security authentication.
This means that anyone with knowledge of exploring the Shodan search engine can access the information without the need for login credentials.
It is worth noting that the exposed server belongs to a third party and is not affiliated with any of the official Mastodon servers.
This was exclusively confirmed to Hackread.com by Anurag Sen, a prominent independent security researcher known for identifying misconfigured databases and cloud servers.
As seen by Hackread.com, this information includes the following:
- Account name
- Display names
- Profile pictures
- Following Count
- Follower Count
- Last Status Update