Another day, another data breach; this time, a security researcher has discovered a massive trove of data hosted on an unprotected MongoDB database available for anyone to access without any authentication.
Discovered by Comparitech’s researcher Bob Diachenko on June 18, 2019; the database contained personal sensitive information of over 188 million people. According to Diachenko’s analysis, some of the records in the database belonged to users from LexisNexis and Pipl.
It is worth noting that LexisNexis a legal search engine providing “computer-assisted legal research as well as business research and risk management services.” Pipl.com, on the other hand, is knowns as the world’s largest people search engine and among other services, it lets individuals find the person behind the email address or phone number including those on Deep Web.
What data was exposed?
According to Comparitech’s blog post, the database exposed following information from Pipl:
First and last name
Aliases and past name
Date of birth
Court and bankruptcy notes
Social media profile links
Employers past and present
Automobiles and property
Moreover, the database exposed 800,000 records belonging to LexisNexis which included:
Neighbors’ full name
Neighbors’ date of birth
Neighbors credit Score
Impact of this breach
A data breach has a negative impact on companies and their customers, especially if the breach involves personal and sensitive data. This, not only, puts customers at risk in real-time but also influences the company’s business and future.
In this case, although it is unclear if the database was accessed by third-parties before, it won’t be a surprise if it has been.
Remember, cybercriminals are very active in targeting the unprotected MongoDB databases, for instance, the sensitivity of the matter can be assessed by a test carried out by Diachenko and his team in March 2018 in which they left a honeypot MongoDB database containing 30GB of fake data. Little did they know, it took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin.
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains,” said Diachenko.
Bob Diachenko has been keeping an eye on unprotected MongoDB databases for the last couple of years. Previously, Diachenko identified and reported tons of such incidents including the infamous Verifications.io breach in which an unprotected database exposed 2 billion records.
Details on other high profile databases discovered by Diachenko are available here.