Unprotected MongoDB leaks 188m users’ data from sensitive search engine

Another day, another data breach…

Another day, another data breach; this time, a security researcher has discovered a massive trove of data hosted on an unprotected MongoDB database available for anyone to access without any authentication.

Discovered by Comparitech’s researcher Bob Diachenko on June 18, 2019; the database contained personal sensitive information of over 188 million people. According to Diachenko’s analysis, some of the records in the database belonged to users from LexisNexis and Pipl.

It is worth noting that LexisNexis a legal search engine providing “computer-assisted legal research as well as business research and risk management services.” Pipl.com, on the other hand, is knowns as the world’s largest people search engine and among other services, it lets individuals find the person behind the email address or phone number including those on Deep Web.

See: Cyber ​​attacks cost $45 billion in 2018 with Ransomware at top

What data was exposed?

According to Comparitech’s blog post, the database exposed following information from Pipl:

First and last name
Aliases and past name
Email address
Physical address
Date of birth
Court and bankruptcy notes
Phone number
Social media profile links
Political affiliations
Employers past and present
Automobiles and property

Moreover, the database exposed 800,000 records belonging to LexisNexis which included:

Past names
Parental status
Short biography
Family members
Redacted emails
Person’s neighbors
Neighbors’ full name
Neighbors’ date of birth
Neighbors’ reputation
Neighbors credit Score
Neighbors’ Address

Screenshot from Comparitech shows exposed records from Pipl

Impact of this breach

A data breach has a negative impact on companies and their customers, especially if the breach involves personal and sensitive data. This, not only, puts customers at risk in real-time but also influences the company’s business and future.

In this case, although it is unclear if the database was accessed by third-parties before, it won’t be a surprise if it has been.

See: Family locator app leaked real-time location data of 238,000 individuals

Remember, cybercriminals are very active in targeting the unprotected MongoDB databases, for instance, the sensitivity of the matter can be assessed by a test carried out by Diachenko and his team in March 2018 in which they left a honeypot MongoDB database containing 30GB of fake data. Little did they know, it took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin.

“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains,” said Diachenko.
The good news, however, is that the database was finally secured by its owner on July 3, 2019.

See: WiFi finder app exposes millions of WiFi network passwords

Bob Diachenko has been keeping an eye on unprotected MongoDB databases for the last couple of years. Previously, Diachenko identified and reported tons of such incidents including the infamous Verifications.io breach in which an unprotected database exposed 2 billion records.

Details on other high profile databases discovered by Diachenko are available here.

Did you enjoy reading this article? Kindly do like our page on Facebook and follow us on Twitter.
Related Posts