One more time an open source database, MongoDB, is the source of another huge breach. But it isn’t Mongo’s fault. It wasn’t configured correctly. Human error one more time.
OK, what are the details? And is it almost 60 million or 260 million?
Modern Business Solutions apparently provides data storage services, although they have refused to comment on the breach.
The names, email addresses, birth dates, vehicle data and other information for at least 58 million subscribers was taken and posted. The data was removed, reposted, removed again and reposted again.
After the researchers contacted Modern the database was secured.
While the 58 million records were publicly posted, the hacker – or researcher – who originally posted a pointer to the leaked data said there was another table exposed that contained 258 million records.
Since the database has now been secured better, it is not possible to validate that this additional table was exposed.
Interestingly, the leak/breach may have been disclosed accidentally. The Twitter user who disclosed the leak – or breach – may have done it accidentally by posting a public tweet instead of a private message.
How long was this data exposed? We don’t know since Modern is not saying. It could have been hours. Or it could have been years.
How many people knew about it? Again, not clear.
What fields were in the bigger table – the one with 260 million records? Again, we don’t know.
Apparently, whoever’s database it is feels that this doesn’t qualify as a breach that is required to be disclosed.
So what do you do? Unfortunately, all you can do is keep your antennae up. Unless the folks at Modern decide that they really do have a breach that they have to disclose.
OR, some state or national law enforcement agency decides that they need to fess up.
Information for this post came from ARS Technica.