A Mastodon user’s posts and public account information are now being scraped by an Elasticsearch server. Over 150,000 Mastodon’s information has already been scraped, and the process is still underway. But even worse, the server is allowing public access to the logged entries without any form of security authentication.
This implies that material can be accessed without login credentials by anyone who is familiar with using the Shodan search engine. Notably, none of the official Mastodon servers are connected to the revealed server, which is owned by a third party.