A security researcher has identified an unsecured server that exposed details of nearly half a million Indian citizens. Bob Diachenko disclosed that he found a database online, named “GNCTD,” containing information collected on more than 400,000 individuals.
Diachenko found that the database contains references and email addresses with “transerve.com” domain for users registered with “senior supervisor,” and “super admin” designations.
The leaked database contains the following tables:
- EB Users (14,861 records)
- Households (102,863 records)
- Individuals (458,388 records)
- Registered Users (399 records)
- Users (2,983 records)
One of the database tables contained registered users including email addresses, hashed passwords and usernames for administrator access.
“Households collection contained fields such as ‘name’, ‘house no’, ‘floor number’, ‘geolocation’, area details, ’email_ID’ of a supervisor, ‘is the household cooperating for survey’ field, ‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informan name’ field.” Diachenko said.
“The danger of having an exposed MongoDB or similar NoSQL databases is a huge risk. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on thousands of MongoDB servers,” Diachenko said.
“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”
MongoDB is a popular, open-source NoSQL database used by many companies, from eBay and Sourceforge to The New York Times and LinkedIn. In recent months, we have published several reports where unprotected database servers have already exposed billions of records.
None of this is MongoDBs fault, as administrators are always advised to follow the security checklist provided by the MongoDB maintainers.
On older versions of MongoDB before version 2.6.0, the default configuration makes the database listening on a publicly accessible port, where admins are supposed to reconfigure it appropriately for online use, but, unfortunately, many don’t.