In November 2017, MongoDB introduced a localhost network default binding in version 3.6 to ensure MongoDB ports will no longer be exposed by default. Even still, MongoDBs are discovered left open and unprotected. When companies tout security as a main feature, this can be quite embarrassing and damaging.
Although the 200GB database didn't include passwords or financial information, it did contain other PII that bad actors can piece together for spamming, spear-phishing, social engineering, identity theft (synthetic identities) or other nefarious attacks.
Companies not only need to be careful to fully secure their perimeter, but they also should invest in an outside-in approach to receive early notifications when domains, identity records and credentials are exposed.
Veeam, a Swiss-based company that develops backup, disaster recovery and intelligent data management software and which markets itself as a data giant that can “move securely across multi-cloud infrastructures”, seems to have left a 200GB MongoDB database open and defenseless, exposing 445m customer records. Former Kromtech security researcher Bob Diachenko said in a blog post on Tuesday that he came across the Amazon Web Services- (AWS-) hosted database last Wednesday when he was using the IoT search engine Shodan. The database had last been indexed on 31 August, Diachenko said, but he’s not sure how long the records were exposed. The publicly searchable, wide-open database quietly slipped back into secure mode four days later, as of 9 September. TechCrunch’s Zack Whittaker says that the server was pulled offline three hours after the publication informed the company about the exposure.