When I read about the Mackeeper breach last week I didn’t quite grasp the implication of it. Now I do and it is much bigger than I understood.
For those who have not seen the news, Mackeeper, which is an Apple Mac anti malware/clean up your machine kind of product that some people like and others hate, exposed their entire customer database to the Internet – 13 million customers. One reason that I wasn’t too worried about this 21 gb data dump is that the company that makes Mackeeper said that they outsource credit card transactions (like a lot of companies do) so there was no financial data in the database. What was in there was names, userids, passwords (hashed), product information and stuff like that.
The article I read first also said that the company patched it within hours of being notified (good for them!) and that THEY claimed that there was only one access from the Internet and that was the researcher.
Here is the bigger problem that I didn’t quite grasp.
Let’s say that everything above is no big deal. Let’s do the rinse and repeat trick. Let’s do what the researcher did. Using the Shodan search engine, look for other MongoDB servers, a popular open source database, listening on the Internet.
Most people who understand this issue would say that a database server should NEVER be publicly exposed to the Internet and I agree.
Only problem is that a quick Shodan search by the founder of Shodan came up with 35,000 database servers representing more than 680 terabytes of data (that is the same as 680 million megabytes). That is kind of a large number.
Apparently, the Mongo database at Mackeeper did not have require a userid or password to access it (bad boys and girls!). What is unclear is how many of those 35,000 databases that John Matherly, the founder of Shodan, found also do not require a userid and password. Let’s say that it is only 10%. Well, then, no problem. Only 68 terabytes of data exposed. Of course we don’t know if the data is football scores or financial transactions, but you have to assume it is some of each. And we don’t know if it is 10%, 50% or 90% that don’t require a userid and password.
Now lets take this one step further. How about using the same tool to look for Microsoft databases or Oracle databases or a dozen other vendors. SOME of those databases either don’t require a password for access or use the default password.
So this is a much bigger problem than either Mackeeper or Mongo. Operations that expose database servers to the Internet beware. Some of that can be fixed with a simple firewall rule as was the case with Mackeeper. Other people will need to re-architect their software, which is a much bigger problem.
In any case, no one can say that they have not been warned.
Unfortunately, for you and me, we have no idea which companies have their act together and which ones do not.
But you can count on the fact that the hackers are looking. With just 35,000 Mongo databases to check out, it is going to be a busy weekend for some people.