You may have heard of the phrase It’s raining cats and dogs but in the world of cyber security it’s raining data!

A group of hackers going by the handle of TeamGhostShell has leaked more than 36 million accounts/records of internal data from several vulnerable networks in order to raise awareness about the poor security infrastructure implemented on MongoDB databases by their owners.

This data breach is very similar to past cases for example; lack of security on a database that contained sensitive information of 191 million citizens in the US. Another example is the Mackeeper website which didn’t implement basic security settings on the database. The past and current data breaches are all related to MongoDB servers.

The data was actually discovered by Hacked-DB‘s cyber security analysts Yogev Mizrahi and Oren Yaakobi who told HackRead that there are 110 IP addresses that were breached and to every IP there is a dedicated folder with the DB data, proof and general information. The data varies from server to server but reveals a lot of sensitive info such as username, password, full name, phone, address, 627,296 email addresses and more.

“Our system is designed to capture, parse and alert interesting data posted by hackers on the clear web and the darknet. We have a team of cyber analysts which verifies security incidents based on our alert system. Upon detection, we’ve started analyzing the data with our tools in order to provide in-depth analysis of the compromised data,” according to one of the representatives of Hacked-DB.

hacker-leaks-36-million-mongodb-accounts
Sample screenshot

For privacy reasons we will not share the link for the leaked data however a full transcript for the hacker’s message is available below:

For more than a few years now various people across the net have been signaling an on-going vulnerability
within the new MEAN Stack system of client/routing/server. The successor of the LAMP Stack, an already infamous vulnerable platform, many thought this new one is more secure, yet it’s almost the exact same as its predecessor. MySQL typically replaced by NoSQL and the main database configuration managed by MongoDB.

This project will focus solely on this poorly configured MongoDB. I’d like to mention exactly how easy it is to
infiltrate within these types of networks but also how chilled sysadmins tend to be with their security measures. Or should I say, lack thereof?

In a lot of instances, the owners don’t bother checking for open ports on their newly configured servers, not only that but they also don’t concern themselves with establishing a proper authentication process. (Just a simple username/password). Typical open ports: 22, 53, 80, 81, 110, 137, 143 443, 465, 993, 995, 3000, 8080, 27017, 3306, 6379, 8888, 28017, 64738, 25565.

This can basically lead to anyone infiltrating the network and managing their internal data without any interference. You don’t even have to elevate your privileges, you just connect and have total access. You can create
new databases, delete existing ones, alter data, and so much more.

I am leaking more than 36 million accounts/records of internal data from these types of networks to raise awareness about what happens when you decide not to even add a username/password as root or check for open ports, let alone encrypt the data. Each server folder has within it a plaintext file with the general info of the target, a screenshot
from within my MongoDB client with me having access and of course the leaked data in the raw text. There are a few million accounts with passwords and the rest is private person data or other types.

This should serve as a cruel reminder of what happens when you don’t use proper security hygiene. And don’t worry if you thought this is the only vulnerability out there, guess again. The old ones remain as well.

This is not the first time when TeamGhostShell has come up with such a massive hack. In the past, the same team leaked 700,000 accounts from the government, mining, banking, petroleum, construction, management, networking, transport services, education/academics and other high profile financial institutions in South Africa. In another hack, the team hacked 200 universities and leaked personal data of thousands of users worldwide.

Here are two of the screenshots from the leaked data shared by TeamGhosShell:

mongo-db-hacked
Screenshot shows folders from the leaked data
mongodb-hacked
Every folder includes a general info file that provides details about the IP address and company

Stay tuned, Hacked-DB is still scanning the data. Once HackRead gets hold of the analysis we will update our readers!

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.