[BreachExchange] Unprotected MongoDB Exposes Scraped Profile Data of 66 Million

Fri Dec 7 09:38:48 EST 2018

https://www.bleepingcomputer.com/news/security/unprotected-mongodb-exposes-scraped-profile-data-of-66-million/

Information belonging to more than 66 million individuals was
discovered in an unprotected database, within anyone's reach, if they
knew where to look on the web. The records look like scraped data from
LinkedIn profiles.

The cache includes personal details that can identify users and could
help adversaries create phishing attacks that are more difficult to
recognize.

According to Bob Diachenko, Director of Cyber Risk Research at Hacken,
the trove was exposed via a MongoDB instance that could be accessed
without authentication.

He found 66,147,856 unique records containing full name, personal or
professional email address, user's location details skills, phone
number, and employment history. A link to the individual's LinkedIn
profile was also present.

Given the nature of these details and the lack of sensitive
information like payment card data or passwords makes Diachenko assume
that the data was scraped from publicly available LinkedIn profiles.

Initially, the collection was smaller

The researcher initially noticed the collection in October, in a
repository called "database" that contained 49 million records. This
was part of a larger discovery that saw over 120 million records
exposed.

Apart from the seemingly LinkedIn profile details, there were two
other databases. One was managed by a company in Florida with 22
million records that included the email addresses, names, and the area
where a candidates sought a job. The other collection had 48 million
entries with names, work email addresses, phone number and employee
details.

In a conversation with BleepingComputer, Diachenko says that these
MongoDB instances shared various fragments of a common dataset and
emerged online between October and late November.

Check if your details were exposed

He was unable to determine the owner of the database but says that it
is no longer online at the moment. This does not exclude the
possibility of popping on the web again, though.

The scraped data is currently uploaded to the HaveIBeenPwned service
which allows users to check if their personal information has been
exposed.

Regarding the legality of web scraping for personal data, Diachenko
says that it is legal to copy what is publicly available but it should
not be used against the best interests of the owner, which is
considered an offense.

"Since the data displayed on websites is meant for public consumption,
it is legal to copy the information to a file on your personal
computer. However, if that information is used in any way that goes
against the best interests of the owner, then it is totally illegal,"
he explains.

Because there is the risk of the personal data to be used against you,
the researcher recommends sharing only the "bare minimum" when
creating an online profile or account.