A huge cache of unsecured biometric credentials and personal information has been discovered by security researchers, The Guardian reports. The breach, which was discovered by researchers Noam Rotem and Ran Locar alongside vpnMentor, included the fingerprint data of more than 1 million people, facial recognition information, unencrypted usernames and passwords, and other personal information of users of Suprema’s Biostar 2 security platform.
The database in question belonged to Suprema, a security company that’s responsible for the widely used Biostar 2 biometrics lock system in use at facilities around the globe. By manipulating URL search criteria in Elasticsearch, the researchers were able to gain access to a database with nearly 28 million records.
Said database included 23GB worth of data including fingerprint data, facial recognition data, dashboards, admin panels, images of faces, facility access lots, security levels and clearances, unencrypted usernames and passwords and personal details of staff.
In testing, the researchers said they were able to access data from a medicine supplier in the UK, a car parking space developer in Finland, a gym in India and co-working organizations in the US and Indonesia. They were even able to change data and add new users.
