How Databases with Personal Info Get Accidentally Left Open on the Public Web
After the MacKeeper leak, it turns out at least 34,000 databases suffer from similar problems.
On Tuesday, it emerged that the personal details of 13 million users of MacKeeper—essentially a piece of adware that tells people they can keep their Mac secure—were sitting in a database that was publicly accessible by anyone with an internet connection. Well, it turns out that a lot of other companies might suffer the same problem.
In fact, at the time of writing, 34,485 databases running the same software as MacKeeper can be discovered via the tool Shodan, which is essentially a search engine for computers, according to a report generated by Motherboard.
MongoDB is a piece of software used for constructing and maintaining databases. It's been free and open source since 2009, and has been used by eBay, as well as Craigslist. Commercial licenses for MongoDB are also available.
Usually, MongoDB seems to do the job just fine, at least judging by the testimonies of happy users. But, if the software is not configured correctly, a system administrator can inadvertently expose their company's data to the public internet.
That is what the guys behind MacKeeper seemingly did, and ended up leaking the details of 13 million customers, including names, email addresses, usernames, poorly secured passwords, phone numbers and IP addresses. A spokesperson for MacKeeper told Motherboard the error was fixed "within hours of the discovery," and said its users' privacy and security is "our top priority."
But 35,000 is still a substantial number of databases that are ripe for the picking
It also looks like OkHello, a free video chat service, made some similar mistakes. According to DataBreaches.net, a site that, as you might expect, follows news of data breaches, an OkHello database has exposed the details of 2,627,082 users.
"No passwords or authentication are needed to view and download user details that include first and last names, password hash, Facebook IDs, phone number, email address, messages, and friends' information," DataBreaches.net writes.
Since the publication of that article on December 6, and several updates by DataBreaches.net, it appears OkHello has gotten wind of the problem, and quietly plugged the leak. The company did not respond to a request for comment from Motherboard.
Earlier today, Shodan's creator, John Matherly, wrote that 35,421 databases running MongoDB were discoverable by the search engine.
In other words, "684.8 TB of data exposed by publicly accessible MongoDB instances," Matherly tweeted.
Presumably some companies have wised up between Matherly's blog post, published this morning, and Motherboard's own reporting, as that number has decreased by around a thousand. And there is a chance that some of those results might be duplicates, or perhaps left intentionally open for ease of access.
But 35,000 is still a substantial number of databases that are ripe for the picking. Weirdly, that number has actually increased over the last six months. Back in July, Matherly wrote that the number of MongoDB instances found by Shodan was just under 30,000.
One possible reason for these exposed databases, Matherly explained, is that some versions of MongoDB shipped with default settings that, if not changed by the system administrator, may have led to these sort of leaks.
And, it wouldn't be fair to single out users of MongoDB here either. Other setups can also suffer from similar misconfiguration issues. At the time of writing, a search for Redis, CouchDB, and Cassandra, which are other database systems, returned 44,800, 346, and 2,949 results respectively.
When asked for comment, MongoDB directed Motherboard to a statement that was released when the Shodan research was first reported on: "The potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB - extensive security capabilities are included with MongoDB. We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarized here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices."
So, as we pointed out earlier today in our report on the MacKeeper leak: if your company's database is publicly exposed, don't expect it to go unnoticed. Finding vulnerable systems takes only a couple of seconds and clicks of a mouse, especially when they are negligently left out in the open like this.