A secret terrorist watchlist with 1.9 million records, including classified “no-fly” records was exposed on the internet. The list was left accessible on an Elasticsearch cluster that had no password on it. BleepingComputer reports: July this year, Security Discovery researcher Bob Diachenko came across a plethora of JSON records in an exposed Elasticsearch cluster that piqued his interest. The 1.9 million-strong recordset contained sensitive information on people, including their names, country citizenship, gender, date of birth, passport details, and no-fly status. The exposed server was indexed by search engines Censys and ZoomEye, indicating Diachenko may not have been the only person to come across the list. The researcher discovered the exposed database on July 19th, interestingly, on a server with a Bahrain IP address, not a US one. However, the same day, he rushed to report the data leak to the U.S. Department of Homeland Security (DHS). “I discovered the exposed data on the same day and reported it to the DHS.” “The exposed server was taken down about three weeks later, on August 9, 2021.” “It’s not clear why it took so long, and I don’t know for sure whether any unauthorized parties accessed it,” writes Diachenko in his report. The researcher considers this data leak to be serious, considering watchlists can list people who are suspected of an illicit activity but not necessarily charged with any crime. “In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families.” “It could cause any number of personal and professional problems for innocent people whose names are included in the list,” says the researcher. Read more of this story at Slashdot.