MongoDB Database Containing Over 275 Million Personal Records Exposed and Hacked (bleepingcomputer.com) 47
"An unprotected and public-facing MongoDB database containing over 275 million records of personal information on Indian citizens has been discovered on search engine Shodan," writes Slashdot reader helpfulhecker.
BleepingComputer reports that the detailed personally identifiable information was exposed online for over two weeks: Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache of PII data was first indexed on April 23, 2019. As he found out after further investigation, the exposed data included information such as name, gender, date of birth, email, mobile phone number, education details, professional info (employer, employment history, skills, functional area), and current salary for each of the database records.
While the unprotected MongoDB database leaked the sensitive information of hundreds of millions of Indians, Diachenko did not find any information that would link it to a specific owner. Additionally, the names of the data collections stored within the database suggested that the entire cache of resumes was collected "as part of a massive scraping operation" for unknown purposes.
Two months ago Diachenko also helped uncover over 800 million exposed email addresses in another unprotected MongoDB database. And in January an investigation with TechCrunch also discovered millions of highly sensitive financial documents from tens of thousands of individuals who took out loans or mortgages.
The same month Diachenko also discovered an exposed 854 gigabyte MongoDB database filled with resumes from over 200 million job-seekers in China.
BleepingComputer reports that the detailed personally identifiable information was exposed online for over two weeks: Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache of PII data was first indexed on April 23, 2019. As he found out after further investigation, the exposed data included information such as name, gender, date of birth, email, mobile phone number, education details, professional info (employer, employment history, skills, functional area), and current salary for each of the database records.
While the unprotected MongoDB database leaked the sensitive information of hundreds of millions of Indians, Diachenko did not find any information that would link it to a specific owner. Additionally, the names of the data collections stored within the database suggested that the entire cache of resumes was collected "as part of a massive scraping operation" for unknown purposes.
Two months ago Diachenko also helped uncover over 800 million exposed email addresses in another unprotected MongoDB database. And in January an investigation with TechCrunch also discovered millions of highly sensitive financial documents from tens of thousands of individuals who took out loans or mortgages.
The same month Diachenko also discovered an exposed 854 gigabyte MongoDB database filled with resumes from over 200 million job-seekers in China.
Yeah, but MongoDB is *fast*! (Score:1)
And it's web-scale. Relational databases that refuse network connections by default are old 70s tech.
Re: (Score:3)
Number one rule of MongoDB security: Do not put it on an untrusted network.
Number one rule of computer security: No network should be trusted by default or for all things.
Re: (Score:2)
But it's web scale
Re: (Score:3)
Mongo used to accept any connections, with no password, by default, but I don't think it does that anymore. Now you have to specifically tell it to spew your data all over the net.
This isn't Mongo's fault, it's the fault of people doing a job they are not qualified for.
They thought they had a perfect defense (Score:2)
But the diabolical hacker didn’t use a JOIN when pulling all that data.
Those are quick hackers ... (Score:2)
... if they could get to the data before Mongo DB lost it.
It is not "hacked" (Score:4, Interesting)
... if it is unprotected.
Re: (Score:2)
... if it is unprotected.
So a break-in is a break-in if one window wasn't locked?
kinda beautiful (Score:3)
I don't know about anyone else, but I find stories like this kinda beautiful.
Silicon Valley has embraced unamerican surveillance state totalitarianism with open arms. While doubling down on race-to-the-bottom employment policies: outsourcing, H1B scabs, caste politics, racism, ageism, sexism, raging nepotism, credentialism, etc. The inbred upper class twits who own the Valley have made it clear they hate us deplorable nerds, and are doing their very best to replace us.
More and more beaches are inevitable. The problem can only get worse. Those who could prevent the beaches, won't be given the chance to do so. Privacy is gone - everything, everyone, everywhere is surveiled at all times. The algos know when you take a shit and how many pieces of TP you use. And allllllllll that snooping data is gonna leak.
So let's just sit back and laugh while the world burns. We dreamed we were building freedom when in fact we were building dystopia. The system can't be saved and doesn't deserve to be saved. The best case scenario is for this whole superstructure of cybernetic totalitarianism to collapse under the weight of its own complexity, expense, and internal contradictions.
Let it burn!
Re: kinda beautiful (Score:2)
"More and more beaches are inevitable."
Fuck I wish Slashdot would implement posting previews in mobile view. I hope it was obvious that more and more breaches, not beaches, are inevitable.
Re: (Score:3)
I can't tell if it's something new or not. There have always been some really, really good programmers (like Donald Knuth), and some average programmers (like COBOL coders), and some really bad programmers (like this pointed out by GravisZero [slashdot.org]).
Maybe nothing has changed at all, but it seems a lot harder now
Re: (Score:2)
I think Agile is part of it, whether a cause or a symptom is unclear, but it's part of it.
So you think soon we'll have a new design methodology, 'Advanced Programming' or some other branding name, that involves planning what you build beforehand, and people will start saying things like, "Agile sucks, I can't believe how many people were suckered by it," and soon everyone will be perpetuating the idea that Agile was the programming methodology high-as-fuck hippies and .bombers invented because they didn't have to 'build thing?'