Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

763M Email Addresses Exposed in Latest Database Misconfiguration Episode

MongoDB once again used by database admin who opens unencrypted database to the whole world.

In February, a security researcher named Bob Diachenko found a MongoDB data instance containing four collections of data and a total of 150GB of data including approximately 763 million unique email addresses. The data instance was openly available and the data inside was stored in plain text. The personally identifiable information (PII)-rich instance is the latest MongoDB database to be hit in a breach totaling millions of records.

In the blog post announcing the discovery, Diachenko detailed the kind of data found in the records as well as the database's owner — Verifications.io. When informed of the data set's availability, the company took the site down very quickly; as of this writing, it is not yet back online.

While the data exposed in this incident is remarkable for its size, it is merely the latest in a significant series of data breaches and exposures involving MongoDB. In a January blog post at Krebs on Security, Brian Krebs noted that tens of thousands of MongoDB databases had been hit with ransomware. Those databases that used no authentication were particularly susceptible to the ransomware attacks.

Also in January, Diachenko discovered another open MongoDB database filled with personal information from job seekers. It is, it seems, quite easy to configure a MongoDB database in ways that open the door to thieves and attackers.

And that is really the issue. MongoDB can be configured in ways that are quite secure, but a novice developer who simply takes the default settings at every step in building a database will create a data set with no protection at all. The number of MongoDB instances makes the likelihood of that insecurity fairly high; a quick Shodan search shows 67,864 MongoDB installs around the world, with most — a bit over two-thirds — in the US. China is next when it comes to MongoDB use, with just less than half the number of instances found in the US.

MongoDB is popular in the cloud, as well. That same Shodan search shows that Amazon.com has 9,016 MongoDB instances, Digital Ocean hosts 4,966, Tencent cloud computing hosts 3,918, Microsoft Azure 2,849, and Google Cloud 1,931.

What is to be done about securing MongoDB databases? The most direct answer would be for the default settings to change, but MongoDB's status as an open source project makes that a process that is, at best, slow. The answer, instead, is in education for the admins and developers most likely to deploy MongoDB in their own instance. As Chris DeRamus, DivvyCloud's CTO, wrote to Dark Reading in a statement, "We live in a world where data is king — collecting, storing, and leveraging data is essential to running just about any type of business you can think of. All the more reason organizations must be diligent in ensuring data is protected with proper security controls."

MongoDB lists companies such as KPMG, Telefonica, and Eharmony as customers: It's obviously possible to configure and administer a MongoDB database in a way that is secure and in compliance with multiple regulations. Unfortunately, it is quick, easy, and cheap to launch a MongoDB instance that is a gift to criminals and a nightmare for its owners and their customers.

Related content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cypher1
50%
50%
Cypher1,
User Rank: Apprentice
3/12/2019 | 1:49:22 PM
Encrypt by default
Unless you have been living under a rock for the last decade, it should come as no suprise that PII has incredible street value.  So why would any organization/company/agency even think about standing up a database with PII and not do the basics of encrypting the data?  And I'm not talking about Full Disk Encryption or using SEDs.  That protection scheme has sailed a long time ago as a viable data protection mechansim.  OS side attacks reign supreme at accessing this informaiton.  There are solutions available that will encrypt at the file / folder level, including mongoDB and wrap that encryption with strong access policies.   

Is cost the reason this is not done? Then I must ask "the cost of what?"  The solution and FTE's the implement such a security measure?  Or the cost to your business post breach?  Basic data protection mechansims at the data level must be implemented.   Having physical security access to your data room just isn't an answer.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...