A database belonging to the US-based insurance marketing website has been left open and accessible to the public, exposing more than 5 million records.
Security researcher Bob Diachenko discovered the public MongoDB instance which appeared to be a part of the website’s marketing leads database. Diachenko tweeted that the database had been spotted on BinaryEdge.
The records on the database contained personal information including first and last names, full addresses, IP addresses, email addresses, data of births, gender and marketing-related information.
“Some records—about 239,000—also indicated insurance interest area, for example, cancer insurance. Data was spread around several categories, including life, auto, medical, and supplemental insurance.”
Access to the database has now been disabled and a property security configuration has been installed.
Diachenko explained the dangers of exposing databases like MongoDB without authentication:
“I have previously reported that the lack of authentication allows the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges.
“Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
Those whose information has been exposed, could be at risk of spam, targeting phishing and fraud.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.