Much has been written about the dangers of poorly secured MongoDB databases among others. Despite the many warnings, millions of records have been lost due to misconfigurations in this database software. Now we have yet another massive database leak has been uncovered related to an insecure MongoDB installation, exposing at least 58 million subscriber records.
Twitter user @0x2Taylor posted exfiltrated data on the file sharing site MEGA twice over the weekend, each time resulting in the data being taken down very quickly. The data was then released for a third time on a smaller file sharing website. After analyzing the dataset, we can confirm that nearly 58 million records contain full names, IP addresses, dates of birth, email addresses, vehicle data, and occupations were included in the leak.
The structure of the data indicated the dataset originated from a MongoDB export and the size of the dataset strongly hinted towards the search site Shodan.io as the tool used to discover the open database. The use of Shodan.io was later confirmed by 0x2Taylor. A subsequent exchange soon lead to an interesting twist to the typical leaky database story. Apparently the party that initially identified the open database on Shodan chose to share the IP address of the database with friends (instead of contacting the organization directly), ultimately resulting in the data being exported and dumped online.
Giving The Data An Owner
While the data itself is easy enough to read, identifying the owner of the database has been more challenging. Nothing within the dumped dataset itself pointed to who might be responsible for the information. Through additional investigation and subsequent exchanges with 0x2Taylor, researchers were able to obtain the IP address of the database. With that information, researchers were able to confirm it was an open MongoDB installation and identify the owner as Modern Business Solutions. Working with Databreaches.net, Modern Business Solutions was contacted and made aware of the issue. Although neither RBS or Databreaches.net have yet received a reply from Modern Business Solutions, the database has since been secured and is no longer accessible.
Wait, 58M Records Or 258M?!
Shortly after discovering the ownership, our researchers received a curious update from 0x2Taylor. New information emerged indicating an additional table had been identified, containing 258 million rows of personal data. The data was presented in a similar format as the original leak:
Upon learning of this second table, RBS researchers attempted to confirm its presence and discovered the database had been secured at that point. It is unclear how much data from this second table may have been compromised between the time of its discovery and the database being secured.
Who Is Modern Business Solutions?
Modern Business Solutions (MBS) describes itself as a technology and application service provider specializing in data management and monetization services for data owners. Based in Austin, TX, the firm claims to help “clients build their revenue streams by providing content and services” to a variety of industries including the automotive and employment verticals. This could help explain the appearance of both vehicle data and occupation information contained in the database. MBS also offers a cloud-based data management platform called Hardwell Data. The website for Hardwell describes the platform as allowing customers to collect, store and transfer data records regardless of format, including a cloud-based hosting system for databases, regardless of size or age. Several of the table names observed by RBS researchers included the prefix hw_, raising some tantalizing questions as to whether the exposed data originated from the Hardwell Data platform.
Putting The Breach In Context
There have been 2,928 publicly disclosed data breaches so far this year, exposing more than 2.2 billion records. While 2.2 billion is a big number, RBS research indicates 55% of the breaches taking place in the first half of 2016 exposed 10,000 or less records. Unfortunately, some of the most notable “mega-breach” exceptions have come from misconfigured databases. With so much media attention given to mysterious “Russian hackers” or the more general “state sponsored actors”, it can be easy to lose sight of the fact some of the largest and most damaging breaches have nothing to do with the nebulous “advanced persistent threat”. Rather, they can be attributed to weak controls, poor management practices or under-resourced staff.