Phishing data sourcesA cloud is a useful tool for many functions. This has been an asset when used to increase computing processing power. One instance of this has been with databases. The cloud allows for large databases to be stored, and reports generated from this. One such database app is MongoDB.
Point of Insecure Data
Bob Diachenko, an independent researcher formerly of Krowtech, detected a server which was totally insecure. This was detected using totally legal tools. He was, upon further examination, not able to ascertain how long this had been open. On the server was an insecure, incorrectly configured MongoDB containing the personal data of 11M users. The dataset was 43.5 GB. This contained the user’s full names, email addresses (all which curiously were Yahoo email addresses), gender, and physical address. Anyone could have opened this if they merely know the address.
A Big Deal?
Some may note, this was only a database with a portion of the person’s sensitive information that anyone could find online. What could go wrong? Granted this is the case, however, there was a bit more data involved with the email addresses. With the bundle of information per user, this is perfect for malware, phishing, and spamming. Whoever misconfigured this did the user’s no favor.
The researcher, after finding this, was responsible and did not just send this throughout the internet. In this case, it was not clear who the owner actually was. The only hint was in the file name (“Yahoo_090618_SaverSpy”). This indicated SaverSpy may have been somewhat involved. The researcher contacted SaverSpy, which is associated with Coupons.com, to report the issue and hopefully let the affected users know of the breach and their private data being openly available. The company did not respond but did, however, take the database offline.
One aspect to review is the manner to correctly configure this. With companies being more focused on speed more than accuracy, these issues will continue. The data may or may not have belonged to SaverSpy, however, the point is if this were to have been properly configured, this would have been a moot issue.
EHacking News. (2018, September 21). MongoDB’s insecure database exposes 11 million email records. Retrieved from http://www.ehackingnews.com/2018/09/mogodbs-insecure-database-exposes-11.html
Fast Net Host. (2018, September 22). MongoDB’s insecure database exposes 11 million email records. Retrieved from https://www.fastnethost.com/blog/mogodbs-inseucre-database-exposes-11-million-email-records/
S., G. (2018, September 18). Huge e-marketing database that contains 11 million sensitive personal data records exposed online. Retrieved from https://gbhackers.com/11-million-sensitive-personal-records-exposed-online/
Vaas, L. (2018, September 19). Here we mongo again! Millions of records exposed by insecure database. Retrieved from https://nakedsecurity.sophos.com/2018/09/19/here-we-mongo-again-millions-of-records-exposed-by-insecure-database
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!