[BreachExchange] MongoDB server exposes personal info on 700K Amex India customers
Destry Winant
destry at riskbasedsecurity.com
Fri Nov 9 09:25:11 EST 2018
https://hackercombat.com/mongodb-server-exposes-personal-info-on-700k-amex-india-customers/
What could be more fateful than the fact that, an unsecured MongoDB
server has exposed the personal data on 689,272 American Express India
customers.
Bob Diachenko, director of cyber risk research at Hacken – The
researcher who discovered the server said in a blog post that the bulk
of the data – more than 2.3 million records – it housed was encrypted,
requiring an encryption key but the nearly 700,000 customer records
were in plaintext, exposing names, email addresses, phone numbers and
card types.
Diachenko wrote. “I came to this conclusion since many of the entries
contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’
etc. Upon closer examination, I am inclined to believe that the
database was not managed by AmEx itself but instead by one their
subcontractors who were responsible for SEO or lead generation.”
The unprotected server is one in a long string of similar exposures.
“There have been several instances in the past where MongoDB servers
were compromised simply because they were being set up without proper
authentication and, thus, were left open on the Internet,” said Rod
Soto, director of security research at JASK. “The compromise workflow
for these types of data leaks is simple. Sensitive information is left
publicly available in a data repository due to poor developer
practices – and essentially has a bullseye on it to be targeted by
malicious actors that scan these repositories to find vulnerable ones
and compromise valuable info.”
Soto said that “large data leaks like this Amex India instance should
drive home how pivotal it is to take proper security precautions with
all third-party services. If they’re not configured properly, they
will continue to lead to massive data leaks.”
More information about the BreachExchange
mailing list