Pierluigi Paganini September 21, 2021

Security researchers discovered an unsecured database exposed online containing the personal information of millions of visitors to Thailand.

The popular cybersecurity research Bob Diachenko discovered his personal data online stored on an unprotected Elasticsearch database containing the personal details of more than 106 million visitors to Thailand.

The expert discovered the unsecured database on August 22, 2021, and immediately notified the Thai authorities, he noticed that some of the data stored in the archive date back ten years.

While the IP address of the database is still public, the database was taken offline and has been replaced with a honeypot.

The database was 200GB in size and contained several assets, including more than 106 million records.

Exposed records include full names, arrival dates, gender, residency status, passport numbers, visa information, and Thai arrival card numbers. 

“Diachenko surmises that any foreigner who traveled to Thailand in the last decade might have had their information exposed in the incident. He even confirmed the database contained his own name and entries to Thailand.” reads the post published by Comparitech.

The good news is that no financial data was contained in the database.

It is not possible to determine how low the archive had been exposed before it was discovered, but Thai authorities told Comparitech that the data was not accessed by any unauthorized parties. 

Below the timeline for the discovery of database:

• August 20, 2021- The database was indexed by search engine Censys.
• August 22, 2021 – Diachenko discovered the unprotected data and immediately took steps to verify and alert the owner in accordance with our responsible disclosure policy.
• August 23, 2021 – Thai authorities were quick to acknowledg the incident and swiftly secured the data.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Thailand)

[adrotate banner=”5″]

[adrotate banner=”13″]