Babysitting-booking app Sitter “temporarily” exposed the personal data of 93,000 account holders, according to a researcher who recently discovered the trove of data using the Shodan Internet of Things (IoT) search engine.
In a LinkedIn post, Bob Diachenko explains how he found the 2GB MongoDB database on August 13, which contained phone numbers, addresses, transaction details, phone book contacts, partial credit card numbers, and encrypted account passwords.
Other information included in-app chat and notification history, plus details of which users needed a babysitter at what time and at which address.
Shodan indexed the database a day before Diachenko noticed it, which suggests a short period of exposure – although it’s possible it was left in an unsecured state for longer.
The positive news: when told of the breach, Sitter reacted quickly, taking it offline. The alternative view is that if it hadn’t been noticed by chance, the data might still be up there and vulnerable to ransom or theft.
According to Sitter:
Sitter has already notified all of its users and partners of the temporary data breach you identified that resulted in the last week in the course of development of certain product enhancements. The security vulnerability was immediately re-secured. Sitter prides itself on trust, openness, and transparency with its users and is committed to maintaining a secure environment for its users.
Sitter can console itself that it’s not alone. Earlier this month, the same researcher discovered another MongoDB database, this time exposing the personal data of 2.3 million Mexican patients from the state of Michoacán.
Before that, in 2017, an attacker started ransoming an astonishing 28,000 unsecured MongoDB databases, receiving payment from at least 20 of the victims in Bitcoins.
That too was only noticed when researcher Victor Gevers joined the dots while reporting exposed databases to their owners.
There’s no evidence that anyone other than Diachenko accessed the data in the Sitter incident, so it would seem the company may have got lucky this time.
Once the cybercriminals notice, no breach ever remains “temporary”.
Image courtesy of Sitter.app
Mahhn
Question, is shodan excluded from laws?
Statements like “Shodan indexed the database” means it read the data. And shared that data with anyone who would look. If a person did that they would be prosecuted. (accessing someone’s computer without authorization).
scott
@Mahhn: If you publish/expose something on the internet either on purpose or accidentally it’s in the public domain so no law that is broken. It may be unethical to read/use it for personal gain but not illegal. There is one exception… If you open something that is marked as classified at any level and you know it is classified in most cases you have broken the law. It is also illegal if you break into a system either by using a vulnerability or stealing credentials.
Mahhn
Thanks for responding. Then I guess it becomes a thin line legally (on case per case) if it was a Vulnerability, Misconfiguration, or something in between.
I would have expected that if there is Pii ( phone #s, addresses, transaction details, contacts, partial cc numbers, and encrypted account passwords.) that it would be obvious it wasn’t intentionally made public. But if the laws state it must be labeled Classified, that will be a word soon to be found meta data of every DB.
John E Dunn
It’s not but even if it were, or could somehow be blocked, that wouldn’t be a good idea – if something is vulnerable, on balance it is better to know that fact.