[BreachExchange] MongoDB server leaks 11 million user records from e-marketing service

Destry Winant destry at riskbasedsecurity.com
Tue Sep 18 23:46:33 EDT 2018


https://www.zdnet.com/article/mongodb-server-leaks-11-million-user-records-from-e-marketing-service/

On Monday, a security researcher specialized in finding exposed
databases has identified an unsecured MongoDB server that was leaking
the personal details of nearly 11 million users. The server appears to
belong to an email marketing firm based in California.

The data, contained in a 43.5GB dataset, included full names, email
addresses, gender information, and physical addresses such as state,
city, and ZIP code for 10,999,535 users.

All email addresses contained in this database were Yahoo-based,
suggesting this was only a small part of a larger dataset, most likely
stored on multiple servers.

Besides personal user information, the data also contained DNS details
and email delivery status information about messages a user had
received.

Bob Diachenko, the security researcher who discovered the breach and
shared his findingswith ZDNet, says the database had been left exposed
online since at least September 13, the date when the Shodan search
engine had last indexed it, and tagged it as a "compromised" server.

The database received this marker because, besides its normal content,
it also included a table named "Warning" that contained a data
collection with the following text:

"Your Database is downloaded and backed up on our secured servers. To
recover your lost data: Send 0.4 BTC to our BitCoin Address and
Contact us by eMail with your server IP Address and a Proof of
Payment. Any eMail without your server IP Address and a Proof of
Payment together will be ignored. You can apply for a backup summary
within 12 hours. Then we will delete the backup. You are welcome!"

This is your typical ransom note that has been popping up on exposed
MongoDB databases since late 2016.

The group behind this particular attack asked for ransom payments of
0.4 Bitcoin ($2,400) via the "3GKioTFrCFYcTmZR4DXPGatTXXp6Ugcq79"
Bitcoin address. That address currently holds four payments for a
total of 1.6 Bitcoin.

A Google search reveals that this particular message, Bitcoin and
email address, have appeared in other cases reported by other MongoDB
server owners based in China in late June [1, 2].

Since MongoDB ransomers tend to rotate email addresses and messages at
various intervals, the presence of this note on the exposed server
suggests the database was also exposed in late June when that
particular database ransom campaign was in full force.

Furthermore, the two Chinese server owners reported that attackers
wiped their databases in an attempt to force a payment for a "back-up"
operation that clearly did not take place.

This detail also suggests that this particular email marketing
database had also been wiped in June, restored, and continued to
operate without proper security controls even after such a disruptive
security incident.

While initially it was not clear who was the owner of this database,
one small suffix in several records --such as
"Content-SaverSpy-09092018"-- suggested this data may belong to a
company named SaverSpy.

Combining a simple Google search along with the nature of the user
records found in the exposed database led both this reporter and
Diachenko to believe the data belonged to SaverSpy.com, a daily deals
website. The SaverSpy.com website claims to operate under the
Coupons.com brand, but a Quotient spokesperson told ZDNet today that
SaverSpy is only part of an affiliate program.

Both ZDNet and Diachenko alerted the operators of the SaverSpy website
about the exposed server. While we have not heard back from the
company, the server was secured earlier today.

Earlier this month, Diachenko also discovered a server belonging to
Veeam, a data management firm, which was exposing over 445 million
records.


More information about the BreachExchange mailing list