An open and unprotected MongoDB was found exposing extremely sensitive information.
Security researcher, Bob Diachenko, discovered the database on August 4th, and found that it belonged to a Spanish company managing a chain of “mens clubs” across the country.
The database had contained extremely sensitive information including the full profiles of 3,350 girls, which had their real names, DOBs, nationality, scanned IDs, and internal comments left by management.
The database also contained 4,636 customer comments, with their IPs, emails, name coordinates and user device characteristics. As well as clubs turnover stats, encrypted admin passwords, logins and more.
Diachenko had notified the company on August 6th, and received a response from the alleged owner, who had shut down all access to the exposed database.
Diachenko has chosen not to publicly name the company behind the men’s clubs, as individuals associated with prostitution carry a stigma, and many suffer reputational, physical or emotional harm.
“I have purposely left this post without any attribution to the company responsible for the misconfiguration. My only goal is to focus not on the nature of the exposed data but the cyber hygiene in general and again highlight the importance of keeping sensitive data secured – especially those that might be easily manipulated if/when exposed.”
“The danger of having an exposed MongoDB or similar NoSql databases is huge,” Diachenko stressed.
It puts everyone at risk on the database of being identified and their data being exploited. Additionally the lack of authentication allows the installation of malware or ransomware on the MongoDB servers.
“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.