
In Oracle’s advertising technology department, the records of billions of people around the world in the database were leaked because the server was in an insecure state and no password was set.
In 2014, Oracle acquired bluekai, a start-up, for more than $400 million, and added its products to Oracle’s data cloud (ODC) and marketing cloud (OMC). Bluekai monitors users on the network through cookies and other tracking technologies, provides data collection services for third parties, and maintains a large database. With the support of Oracle, bluekai has developed rapidly. According to the whatracks website, bluekai tracks more than 1% of all web traffic.
However, for a long period of time, the server storing these data did not set a password at all, resulting in the network tracking data being fully disclosed on the public Internet.
Billions of records are available for anyone to read and view at any time.
These exposed records show a high degree of transparency, including name, home address, email and other personal information such as payment transactions. Therefore, users’ online activities can be tracked for a long time through their “digital portraits”.
For example, one of the records can be specific to a German man (whose real name is hidden here) who bought a 10 euro note on the e-sports betting website on April 19, and also includes the man’s residential address, telephone number and email address. Another record shows that a user living in Istanbul once bought furniture worth $899 online in a household goods store, including the details of the buyer, including the real name, e-mail address and the Internet link of the buyer’s order.
Security researcher Anurag Sen discovered the database and reported his findings to Oracle. Subsequently, Oracle took the database offline. However, the huge scale of the exposed database makes it one of the largest security violations in recent years.
Review of the incident
Technology giant Oracle is one of the few Silicon Valley enterprises with strong strength in the field of Internet tracking technology. The company spent billions of dollars to acquire many start-ups, and built a comprehensive view of users’ web browsing data. Bluekai, a start-up, was acquired by Oracle in 2014 at a price of more than $400 million.
Bluekai uses website cookies and other tracking technologies to monitor users’ network trends, relies on constantly collecting data from various sources to understand market trends, and publishes the most accurate advertising content in combination with people’s interests.
Marketers can use Oracle’s huge database to obtain information through credit institutions, analysis enterprises and other consumer data sources (including billions of data points per day), and finally determine the advertising content that best meets the audience’s taste. In addition, marketers can also upload sorted consumer personal data, such as personal information that needs to be submitted when registering a website or subscribing to business news. This part of data seems not to be sensitive, but after being integrated with each other, it can create a unique “fingerprint” for individual users and their devices to track each other’s browsing trends on the Internet.
Bluekai can also link users’ mobile network browsing habits with desktop behaviors, ensuring that no matter what device users use, they can track their activities through the Internet.
The more content bluekai collects, the more accurate the reasoning of users’ preferences will be, which will help advertisers send different promotional content to different groups with more targeted goals.
However, for a long period of time, the server storing such data did not set a password at all, resulting in the network tracking data being fully leaked on the public Internet. Billions of records are available for anyone to read and view at any time.
Anurag Sen, a security researcher, discovered the database and reported his findings to Oracle through the intermediary of Roy Carthy, CEO of Hudson rock, a network security company.
According to the data provided by Sen, you can find the user’s name, home address, email address and other identity related data. The data also includes various sensitive web browsing activities of users, such as online shopping and news unsubscribing.
The leaked information is highly transparent
Behind the scenes, bluekai is constantly extracting and matching as much personal raw data as possible, and matching it with personal data, so as to continuously enrich the understanding of individuals and track their latest developments.
However, in the end, a large amount of original data was leaked from the exposed database.
According to a record of this exposure, we found that a German man (whose real name is hidden here) bought a 10 euro bet on the e-sports betting website on April 19. The record also contains the man’s residential address, telephone number and email address.
Let’s look at another record, which shows that one of the largest investment holding companies in Turkey uses bluekai service to track its website users. Records show that a user living in Istanbul once bought furniture worth $899 online in a household goods store. This type of record contains the detailed information of the buyer, including the real name, email address and the network link of the buyer’s order.
In another record, it details how a user cancels the news mail subscription service. Records show that this person may be interested in a specific type of tachograph. According to the user agent’s information, we can even find that his iPhone system version is obsolete and needs to be updated.
Monitoring is ubiquitous
Bluekai is everywhere, really everywhere. An estimate shows that the network traffic tracked by bluekai accounts for more than 1% of the global total traffic – its average daily data collection is extremely amazing, and Amazon, ESPN, Forbes, Glassdoor, Healthline, Levi’s, MSN COM, rotten tomatoes and the New York Times have all become the targets of its monitoring.
But we should not only focus on bluekai.
After 2000, big data marketing enterprises swarmed in, and similar DMP data management platforms are of strategic significance in the process of digital transformation, so the relevant data business is constantly expanding.
Almost every website we visit contains some form of hidden tracking code to monitor visitors when they traverse the Internet. These hidden trackers will send web browsing data to a huge database in the cloud. It is the economic value behind these data that enables the entire Internet to run free for a long time. Although most Internet users have long been aware of this ubiquitous tracking, people outside the marketing industry may still be hard to imagine how much data is involved and how the relevant institutions are handling the data.
Take the Equifax data disclosure case that caused a great stir in 2017 as an example. Equifax collected data from millions of consumers without permission, which was severely criticized by legislators. Like bluekai, Equifax has written these tracking behaviors in its tedious and lengthy privacy policy. But who would ordinary consumers read them carefully? And even if they have read it carefully, consumers have no choice but to accept it passively. Either tracked or abandoned. If you want free internet access, you must pay a price.
As long as such a database still exists, the data will one day fall into the wrong hands and cause disastrous consequences. Everyone should have his own secrets and the right not to be spied by some people. When the enterprise collects the original web browsing or purchasing data, no matter how desensitized, it must contain endless real life details.
It is these small details that may expose everyone to potential risks. Vinchin offers solutions for the world’s most popular virtual environments, such as VMware backup, XenServer backup, XCP-ng backup, Hyper-V backup, Red Hat Virtualization backup, oVirt backup, Oracle backup, etc.