Unprotected MongoDB database exposed 275mn personal records
9 May 2019
A security researcher has discovered a publicly indexed MongoDB database hosted on Amazon AWS infrastructure that contained over 275 million records with personal identifiable information (PII) on Indian citizens but was not secured from external access.
The exposed MongoDB database was publicly indexed on April 23 this year and was discovered shortly thereafter by security researcher Bob Diachenko who immediately notified Indian CERT team about the exposure. However, the database remained available for external access until Wednesday when it got dropped by hackers known as ‘Unistellar’ group.
According to Diachenko, the unprotected MongoDB database contained 275,265,298 records with personal identifiable information (PII) on Indian citizens that included names, email addresses, gender, mobile phone numbers, dates of birth, current salary, employment history, education levels, and professional skills of millions of Indian citizens.
Unprotected MongoDB databases serve as goldmines for hackers
“I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains,” he noted.
According to Ryan Wilk, vice president at NuData Security, data in the wrong hands – especially detailed personally identifiable information – can have a huge impact on consumers. PII, combined with other user data from other breaches and social media, builds a complete profile.
“In the hands of bad actors, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans, and much more.
“Every hack has a snowball effect that far outlasts the initial breach. All customer information is valuable to hackers. Name, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We need to protect all customer data, but more importantly, we need to make it valueless.
“Passive biometrics technology is making stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data. This makes it impossible for bad actors to access illegitimate accounts, as they can’t replicate the customer’s inherent behaviour. Analysing customer behaviour with passive biometrics is completely invisible to users,” he added.
Jonny Milliken, manager of the research team at Alert Logic, says that the data leak once again demonstrates that when you use cloud services, you still need to take responsibility for your own part of the shared security model.
“There is a huge volume of similar instances of this happening right now, accessible over the internet. Anyone who runs MongoDB in the cloud should take this as a warning to review their infrastructure access immediately and deploy some automated system or service to tell you if it becomes exposed in the future. Eternal vigilance is the price of cloud computing,” he adds.
Millions exposed due to the lack of security in cloud databases
In September last year, Diachenko discovered that Veeam, a Swiss-based company that offers data backup, storage, and intelligent data management software, had left a 200GB database exposed to outside access. The database contained a massive chunk of data that was being used by Veeam to communicate with their customers via a software firm named Marketo.
He added that the database contained a total of 445 million records that included people’ first and last names, their nationalities, email recipient status based on whether they were customers or partners, customer organisation size such as SMBs, commercial organisations employing between 500 and 5000 people, or enterprises hiring over 5000 people. Such data spanned a four-year period between 2013 and 2017.
In November, he again discovered an unprotected MongoDB cloud database hosted by data aggregator Adapt that contained over 9.3 million data records that included personal data as well as job descriptions of millions of individuals.
The database contained as many as 9,376,173 personal data records that included first and last names, phone numbers, name of the companies where the individuals were employed, job titles, job descriptions, list of company domains, industry, company revenue, email confidence scores, total contacts available in the company, and emails of every contact in the company.