Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Privacy

MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com) 69

An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.
This discussion has been archived. No new comments can be posted.

MongoDB Config Error Exposed 93M Mexican Voter Records

Comments Filter:
  • by Anonymous Coward on Friday April 22, 2016 @02:04PM (#51966649)

    Look at all this fail they've enabled with their shitty defaults.

    Even mysql demands that I configure a root password when I install it.

  • It's happened with Turkey and now Mexico (although with Turkey that was more malicious).

    We haven't had this sense of digital identity that we have today. In the US, our tax numbers are secrete (SSN numbers) but in many other countries, tax ID numbers are considered public or non-identifying (Australian's TFNs and NZ's IRD # come to mind).

    Go back 100 years and you didn't have passports or work visas. If you could speak the language in your destination, you could go and attempt to work and survive (and if you

    • That not how I would characterise the difference between Australian TFNs and US SSNs (I have both).

      In Australia, the TFN is a very sensitive piece of information and the only people who would ever ask for it are those you would expect to ask for a tax number: the tax department, your employer, and your bank/financial institutions. There are strict guidelines governing its use and it is explicitly defined as identifying information: https://www.oaic.gov.au/indivi... [oaic.gov.au]

      On the other hand, the US SSN is used for f

  • Less than a month ago http://www.theregister.co.uk/2... [theregister.co.uk]
  • Florida's voter rolls were uhhhh Hacked! http://flvoters.com/by_name/in... [flvoters.com]
    • by Anonymous Coward

      Mongo only pawn in game of life...

  • by Viol8 ( 599362 ) on Friday April 22, 2016 @02:33PM (#51966851) Homepage

    ... and start treating it as a key-value file system and it all makes sense. Sadly the mongo devs want us to think its a competitor to mySQL or even Oracle. Yeah, right.

    Amateur hour DB + amateur hour admins = trouble ahead.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

      • Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

        NO, you can't. mySQL requires, yes, requires you to assign a root password upon install.

        Face it, the MongoDB defaults are shit. Just admit it and stop blaming the poor fuckers who have to use it. Yes, they should have assigned a password, but the fact of the matter is that MongoDB should have made it impossible not to.

        • Not only does it require that you assign a root password, it also requires you to change the config to listen on an ip address other than localhost. You also have to create a new user, as the default root user can only connect from local host.

  • "MongoDB Config Error Exposed..." is the new "Florida Man..."

  • Oh my, 132Gb of tasty, tasty user data. It's like an all-you-can-eat hacker buffet.

    • That's true. But fortunately, the citizens live in a nice quiet country where there is no risk at all from having all your data publicized. Especially when you're working undercover, or get caught in the crossfire, there is no risk at all from having your adress and that of relatives exposed on the internet.

  • We'll finally be able to steal our jobs back from Mexico.
  • Elections are harsh in Mexico, with the PRI (Institutional Revolutionary Party) doing whatever it takes to hold onto power. This might very well be on purpose to extract data on voters to fake votes and inflate ballot boxes. A good bribe to the sysadmin or even a harsh threat (political parties are known to have nexus with organized crime) could have been the reason for this.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...