According to our ZDNet colleagues, a server containing a database of about 60 GB (MongoDB) with personal information of readers of the weekly was freely available.
In the batch, we find name, first name, e-mail address, profile photos, publication titles and additional information associated with the user profile. No password or bank data was stored on this server.
Still according to ZDNet, "even after the magazine was notified of this leak, the database remained exposed unprotected for a month." Mickey Dimov, a security expert, is behind this discovery. He contacted L'Express in January, apparently unanswered, before sending the items to our colleagues who also contacted the weekly.
"I did not want this data erased because I feared that their website and infrastructure would be intimately connected to it," says Mickey Dimov. He adds that "there were a lot of collections that seemed to be essential on the first page [et] to the warning system they used to broadcast content".
For its part, L'Express confirmed the flaw to ZDNet, claiming to have "been the victim of an illegal intrusion into one of its servers", but stating that the latter was "inactive" and "formerly used for test ". But this would not be the case since the last entry was created on February 20, 2018.
Our colleagues note that "L'Express has, to our knowledge, made no effort to inform its readers or the authorities".