DataBreaches.net

DataBreaches.net

The Office of Inadequate Security

Menu
  • Breach Laws
  • About
  • Donate
  • Contact
  • Privacy
  • Transparency Reports
Menu

Despite warnings earlier this year, tens of thousands of databases continue to leak (update1)

Posted on December 14, 2015December 15, 2015 by Dissent

Back in February, some students from the Centre for IT-Security, Privacy and Accountability (CISPA) at Saarland University, Germany made headlines when they reported that they had found approximately 40,000 MongoDB Databases exposed on Port 27017, a port that is open by default in a MongoDB Database installation.  Anyone who searches Shodan would be able to easily locate such leaking databases.

So what happened after they reported their findings? There was some media coverage, but did the FTC post any guidance or warning to entities? Did CERT? Did the FBI? If they did, I can’t find it, and it appears that many businesses and entities using MongoDB are still exposing their entire databases on Port 27017. As of this weekend, there were 36,000 results for a search for open databases on that port. While many of them appear to be duplicates, it is still a concerning number.

In recent days, DataBreaches.net has reported on some of these leaking databases: the Vixlet leak affecting more than 377,000 MLB, ATP and Slipknot fans, the OkHello leak affecting more than 2.6 million users of the video chat service,  the California Virtual Academies leak affecting more than 74,000 students and employees, the iFit leak affecting 576,274 customers, and the Hzone leak affecting 5,027 users of a dating app for HIV-positive singles, but Chris Vickery has also uncovered many other similarly leaking databases. One of them is from the gaming site Slingo, where Chris found 2.5 million users’ first and last names, usernames, email addresses, password hashes, Facebook IDs, postal addresses, and gender. Chris notified them and they secured their database. He has also notified other businesses, such as Kromtech, after he found 13 million MacKeeper users’ information leaking (I think Brian Krebs may be reporting on that one).

So far, none of the above sites seems to have posted any notification on their sites that disclose that their users’ information had been exposed – or for how long it had been exposed. And I can still access OkHello’s backup database that contains videos of children.

Is it time for government or relevant organizations to issue a highly publicized warning about this situation? CERT considered it a high-risk vulnerability when it issued a release in June 2015 about IBM’s noSQL database. Why no warning on MongoDB Database?

As everyone knows, I am not a security professional. But it seems to me the FBI, FTC, and CERT can and should do something to increase awareness and to get entities to secure their leaking databases.

Update1: John Matherly, the founder of Shodan responded to the MacKeeper news on Shodan’s blog. He reported almost identical numbers to what I said above:

At the moment, there are at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet. This is an increase of >5,000 instances since the last article. They’re hosted mostly on Amazon, Digital Ocean and Aliyun (cloud computing by Alibaba)

[…]

By default, newer versions of MongoDB only listen on localhost. The fact that MongoDB 3.0 is well-represented means that a lot of people are changing the default configuration of MongoDB to something less secure and aren’t enabling any firewall to protect their database. In the previous article, it looked like the misconfiguration problem might solve itself due to the new defaults that MongoDB started shipping with; that doesn’t appear to be the case based on the new information. It could be that users are upgrading their instances but using their existing, insecure configuration files.

Significantly, he notes:

Finally, I can’t stress enough that this problem is not unique to MongoDB: Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.

Okay, so expand the alert/guidance to include them. Whether it’s by intention or by accident, millions of people have their personal information at risk.

 

Related Posts:

  • Tens of thousands MongoDB databases easily…
  • Number of leaking MongoDB databases increasing:…
  • How long does it take for a MongoDB to be…
  • Over 12,000 MongoDB Databases Deleted by Unistellar…
  • Need help because your MongoDB installation was hit…

Post navigation

← Two apps with health info found leaking: researcher. Part 2: Hzone
KY: Child identity theft legislation pre-filed in House →

Sponsored or Paid Posts

This site doesn’t accept sponsored posts and doesn’t respond to requests about them.

Have a News Tip?

Email:

Breaches[at]Protonmail.ch
Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Telegram: @DissentDoe

Browse by News Section

Latest Posts

  • Ransomware group ‘Black Basta’ has raked in more than $100 million -researchers
  • DFS Announces $1 Million Cybersecurity Settlement With First American Title Insurance Company
  • ID Theft Service Resold Access to USInfoSearch Data
  • Okta admits hackers accessed data on all customers during recent breach
  • Hackers breach Israel intelligence group’s website
  • Queensland passes mandatory data breach notice laws
  • A cyberattack hit thousands of people in Louisiana. They’re still in the dark months later. (1)
  • KidSecurity’s user data compromised after app failed to set password

Please Donate

If you can, please donate XMR to our Monero wallet because the entities whose breaches we expose are definitely not supporting our work and are generally trying to chill our speech!

Donate- Scan QR Code   Donate!

Social Media

Find me on Infosec.Exchange.

I am also on Telegram @DissentDoe.

RSS

Grab the RSS Feed

Copyright

© 2009 – 2023, DataBreaches.net and DataBreaches LLC. All rights reserved.

HIGH PRAISE, INDEED!

“You translate “Nerd” into understandable “English” — Victor Gevers of GDI Foundation, talking about DataBreaches.net

©2023 DataBreaches.net