Babysitting-booking app Sitter “temporarily” exposed the personal data of 93,000 account holders, according to a researcher who recently discovered the trove of data using the Shodan Internet of Things (IoT) search engine.
In a LinkedIn post, Bob Diachenko explains how he found the 2GB MongoDB database on August 13, which contained phone numbers, addresses, transaction details, phone book contacts, partial credit card numbers, and encrypted account passwords.
Other information included in-app chat and notification history, plus details of which users needed a babysitter at what time and at which address.
Shodan indexed the database a day before Diachenko noticed it, which suggests a short period of exposure – although it’s possible it was left in an unsecured state for longer.
The positive news: when told of the breach, Sitter reacted quickly, taking it offline. The alternative view is that if it hadn’t been noticed by chance, the data might still be up there and vulnerable to ransom or theft.
According to Sitter:
Sitter has already notified all of its users and partners of the temporary data breach you identified that resulted in the last week in the course of development of certain product enhancements. The security vulnerability was immediately re-secured. Sitter prides itself on trust, openness, and transparency with its users and is committed to maintaining a secure environment for its users.
Sitter can console itself that it’s not alone. Earlier this month, the same researcher discovered another MongoDB database, this time exposing the personal data of 2.3 million Mexican patients from the state of Michoacán.
Before that, in 2017, an attacker started ransoming an astonishing 28,000 unsecured MongoDB databases, receiving payment from at least 20 of the victims in Bitcoins.
That too was only noticed when researcher Victor Gevers joined the dots while reporting exposed databases to their owners.
There’s no evidence that anyone other than Diachenko accessed the data in the Sitter incident, so it would seem the company may have got lucky this time.
Once the cybercriminals notice, no breach ever remains “temporary”.
Image courtesy of Sitter.app