Context
A misconfiguration in a database could result in the exposure of millions of people’s sensitive information across the globe. Unprotected servers or open databases that are left publicly accessible without any authentication could put millions of users’ data at risk, causing serious damage to big organizations. Several such incidents have been witnessed in 2019.
The prominent data breaches of 2019
Unprotected MongoDB exposes 809 million records
On February 25, 2019, security researchers Bob Diachenko and Vinny Troia discovered an unprotected MongoDB database that was left open without any password protection. The open database belongs to an email marketing firm Verifications.io and has exposed around 809 million records. The database contained three folders with different records. The first folder had over 790 million unique email addresses and the second folder contained 4,150,600 records that had both email addresses and users’ phone numbers. The third folder contained over 6 million business lead records.
Chinese HR firms expose over 590 million resumes
Security researcher Sanyam Jain has reported almost 7 incidents since January 2019 that witnessed the data exposure of over 590 million Chinese job seekers’ resumes. All the 7 incidents were caused due to misconfigured Elasticsearch servers.
275 million personal records exposed
Security researcher Bob Diachenko uncovered an unsecured MongoDB database that was hosted on Amazon AWS infrastructure. The leaky database contained almost 275,265,298 records of Indian citizens with personally identifiable information (PII) such as names, email addresses, genders, dates of birth, phone numbers, educational details, professional skills, employment history, current employer and salary. However, the data was all deleted by a hacker group named ‘Unistellar’.
198 million records of potential car buyers exposed
An unprotected Elasticsearch database belonging to Dealer Leads has exposed almost 198 million records containing information about potential car buyers. The exposed data includes names, email addresses, phone, addresses, IP addresses, ports, pathways, storage information, loan and finance inquiries, and details of vehicles that were for sale.
188 million records from Pipl.com and LexisNexis exposed
An unguarded MongoDB database that contained almost 188 million records of personal data from Pipl.com and LexisNexis was found exposed online. The exposed records included personal data such as names, dates of birth, gender, race, religion, email addresses, physical addresses, phone numbers, social media profiles, past and current employers, skills, automobiles and properties owned, court and bankruptcy notes, and political affiliations.
Honda exposed 134 million employee data
Security researcher Justin Paine discovered a misconfigured Elasticsearch instance belonging to Honda. The leaky database contained information for over 300,000 employees across the globe, which included employees’ names, email addresses, their last login, their computers' endpoint security vendor network information, OS versions, hostnames, and patch status. The database had a table named “uncontrolledmachine” which contained 3,000 entries about Honda’s internal computers that weren't using endpoint security software.
Key takeaway
This indicates that organizations are not taking the security of their servers seriously. In order to avoid such data leaks, organizations must secure their database configuration, enforce proper authentication, and encrypt the data stored in the databases.
Publisher