ZDNet: CVs containing sensitive info of over 202 million Chinese users left exposed online. “A security researcher has stumbled over an unsecured MongoDB database server that contained highly detailed CVs for over 202 million Chinese users. Who owned the database is still a mystery, said Bob Diachenko, Director of Cyber Risk Research at Hacken Proof, the one who found the server’s data left exposed online.”
TechCrunch: Garmin-owned navigation unit exposed thousands of boat owners’ data. “Navionics, an electronic navigational chart maker owned by tech giant Garmin, has secured an exposed database that contained hundreds of thousands of customer records. The MongoDB database wasn’t secured with a password, allowing anyone who knew where to look to access and download the data.”
Bleeping Computer: Data Management Firm Exposes 445 Million Records. “A database with over 200GB of data was found on a server left defenseless and open to public query, to anyone knowing where to find it. The storage included about 445 million customer records from Veeam, a Swiss-based company that provides intelligent data management services for virtual, physical and cloud infrastructures.”
WIRED: If You Want to Stop Big Data Breaches, Start With Databases. “While companies commonly use these databases to store tempting troves of customer and financial data, they often do so with outdated and weak default security configurations. And while any type of database can be left open or unprotected, a string of breaches over the last few years have all centered around one type in particular: open-source ‘NoSQL’ databases, particularly those using the popular MongoDB database program. Of course there are many types of hacks that can ultimately lead to data breaches, like using spear phishing to gain access to a network, but securing exposed databases is a relatively easy and concrete step organizations can take to strengthen their data defense.”
TechCrunch: MongoDB’s Atlas database service goes freemium. “MongoDB is still best known for its flagship NoSQL database product, but last year, the company also launched Atlas, a managed database-as-a-service offering that runs on AWS. At the time, MongoDB only offered a paid version of this service (which made sense, given that the company has to pay AWS for its servers), but starting today, it’ll offer developers who want to simply learn about MongoDB or start developing and prototyping apps on top of the service a free tier, too.” Would this help prevent the many MongoDB problems that have been reported in the last year? Just do a Web search for MongoDB leak and you’ll see what I mean.
A new-to-me tool helps users assess their MongoDB databases for security. “More than 25,000 MongoDB instances were targeted by hackers. Information was encrypted and money was asked for the decryption keys. In some cases information was wiped with no way to recover it. Mongoaudit tackles this problem and more. It not only detects misconfigurations, known vulnerabilities and bugs. It also gives advice on how to fix problems and recommends best security practices.”
You remember those hacks on MongoDB databases I mentioned? They’re spreading. “For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the stolen files, but in some cases, destroying data just for fun. These incidents come after crooks hijacked and held data ransom from MongoDB databases since the start of the year.”