Naked Security Naked Security

Here we Mongo again! Millions of records exposed by insecure database

Another day, another poorly configured MongoDB database.

Yet another MongoDB database instance has been found belly-up, unprotected and exposing 11 million customer records.
Former Kromtech security researcher Bob Diachenko, who made the discovery on Monday, said the database instance was revealing records that included personal details such as email addresses, full name, gender, and physical addresses (zip code, state, city of residence). The database also contained DNS data and information on server response.
To be precise, the 43.5GB dataset contained 10,999,535 email addresses, all of them Yahoo-based.
There weren’t many indications of who the database belongs to. The database name itself gave no indication of ownership – nor did the exposed data include administrator emails, system logs or host information.
But there was one hint: a small suffix in several records. Diachenko said one example was “Yahoo_090618_ SaverSpy,” while ZDNet mentioned “Content-SaverSpy-09092018”. Which lead some to conclude the database might belong to a coupon/discount company named SaverSpy: a daily deals website operated by Coupons.com.
Neither SaverSpy nor Coupons.com responded to inquiries from ZDNet and Diachenko, but within a few hours of those inquiries, the database was taken offline.


It sounds like this same database has a history of misconfiguration. Shodan had already tagged it as “compromised” as of June. Diachenko says it contained a “warning” database with a “Readme” collection and ransom note demanding 0.4 bitcoin to get the data released.
The ransomers must have screwed up the script, though, given that all the data were intact as of Monday. Diachenko:

I assume this is a result of failed script scenario used by crooks (and pure luck for the database owners).

This is the second unprotected MongoDB instance that Diachenko has spotted this month. Two weeks ago, he came across 445m records belonging to Veeam, a backup, disaster recovery and intelligent data management software company.
None of this is exactly MongoDB’s fault, it’s up to the people who use the product to configure it appropriately for online use, but there’s a reason the database crops up a lot in these kind of breaches.
On some MongoDB instances, the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Admins are supposed to reconfigure the settings, but many don’t. The result is an internet-connected database with no access control or authentication.
Starting with version 2.6.0, MongoDB disallowed all that when it began denying all networked connections to the database unless explicitly configured by an administrator.
The fact that the newly discovered, maybe-SaverSpy-owned database seems to have been (unsuccessfully) ransomed just points to the fact that there are crooks out there who focus on taking advantage of misconfigured MongoDB databases. As we noted when we wrote up the Veeam leak, the database even has its own flavor of ransomware called Mongo Lock.
Aside from being vulnerable to ransomware attack, these exposed records, again, also provide lots of fodder for a plethora of other attacks: spammers, scammers, and phishers of all kinds.
It’s up to database admins to lock that database down tight.