The big picture: The good news is that as of Wednesday morning, the vulnerability had been closed. The bad news? The service is in use at 1.5 million locations globally. Worse yet is the fact that unlike passwords, once biometric data like fingerprints are leaked, you can’t change them.

Security researchers with vpnmentor, a service that reviews virtual private network providers, recently found a publicly accessible database that was unprotected and mostly unencrypted.

The database in question belonged to Suprema, a security company that’s responsible for the widely used Biostar 2 biometrics lock system in use at facilities around the globe. By manipulating URL search criteria in Elasticsearch, the researchers were able to gain access to a database with nearly 28 million records.

Said database included 23GB worth of data including fingerprint data, facial recognition data, dashboards, admin panels, images of faces, facility access lots, security levels and clearances, unencrypted usernames and passwords and personal details of staff.

In testing, the researchers said they were able to access data from a medicine supplier in the UK, a car parking space developer in Finland, a gym in India and co-working organizations in the US and Indonesia. They were even able to change data and add new users.

Masthead credit: holographic fingerprint by ktsdesign