MongoDB database containing over 275 million personal records exposed and hacked

Hu-Mongo-us database exposed on Shodan before being swiped by an unknown hacking group

An unprotected and public-facing MongoDB database containing over 275 million records of personal information on Indian citizens has been discovered on search engine Shodan.

Shodan indexes publicly viewable internet-connected devices and software applications, including unsecured webcams and exposed databases.

The database was found by security researcher and blogger Bob Diachenko, who spends a lot of his time scouring Shodan for exposed databases.

Although there is no indication of the database’s owner, it appears to contain scraped data from various job application websites, as it includes fields such as name, gender, education, professional skills and employment history.

Diachenko notified the Indian Computer Emergency Reponse Team (CERT) upon discovering the database on May 1, by which point it had been publicly indexed for over a week. On May 8 hackers managed to wipe the data, leaving the message “Restore? Contact: [email protected]”, suggesting an intent to hold the owner to ransom.

It is unlikely that the total records exposed corresponds to the total number of people exposed, given that no Indian job site holds the data of 275 million people. But even if some of the records are duplicates it is still one of the region’s biggest data breaches, Diachenko said.

In September, Diachenko discovered another Mongo database containing over 11 million customer records.

Danny Bradbury of Naked Security commented that the latest distributions of MongoDB turn on remote access prevention by default in an effort to mitigate these incidents.

“Whoever put this thing online was using an old version they hadn’t reconfigured, or a newer version with the protection disabled. They might do that for convenience, ignorant or uncaring about the security implications,” he said.