Update of Oct. 18: a vendor on the dark web has seemingly put the database up for sale for $200. The listing says:
58,848,308 ModBSolutions.com no passwords Business 2016-10
Note that MBS never responded to my courtesy notification, never responded to a request for a statement as to what they were doing in response to the leak, and then removed their phone number from their web site to make it harder for upset consumers to contact them? I hope the Federal Trade Commission is paying attention to this one. As consumers, you can file a complaint with the FTC using their online complaint form. You should probably check the “other” category and then explain how your data were caught up in this incident and any attempts you made to get a response from the company.
Much has been written about the dangers of poorly secured MongoDB databases among others. Despite the many warnings, millions of records have been lost due to misconfigurations in this database software. Now we have yet another massive database leak has been uncovered related to an insecure MongoDB installation, exposing at least 58 million subscriber records.
Twitter user @0x2Taylor posted exfiltrated data on the file sharing site MEGA twice over the weekend, each time resulting in the data being taken down very quickly. The data was then released for a third time on a smaller file sharing website. After analyzing the dataset, we can confirm that nearly 58 million records contain full names, IP addresses, dates of birth, email addresses, vehicle data, and occupations were included in the leak.
Read more on RiskBasedSecurity, who note that ModB may have dodged a serious bullet, because there was another table with 258 million records that were being downloaded or accessed when the entire bucket was pulled offline.
As of today, ModB has not responded to this site’s original notification to them, alerting them to the leak. Nor have they responded to an inquiry asking them for a comment or what they intended to do about 58 million people having their PII exposed.
Update 1, Oct. 12: ModB still has not responded to this site’s communications. But I see people are commenting under this post that they’ve been notified their data was caught up in this. WHO is notifying you, though? Is it ModB or some site like HaveIBeenPwned?
Update 2: Okay, it looks like it is HaveIBeenPwned.com doing some notifications. They posted this to Twitter:
— Have I been pwned? (@haveibeenpwned) October 12, 2016