Unprotected MongoDB Account Exposes 200K Files

Written by

A security researcher has discovered yet another misconfigured MongoDB installation online, this time exposing over 200,000 highly sensitive corporate documents.

The 142GB MongoDB account was hosted on Amazon Web Services (AWS) infrastructure in the US and belonged to global document recognition and content capture software developer ABBYY, according to former Kromtech man Bob Diachenko.

Unfortunately, the account was left totally unprotected, with no password or log-in, meaning anyone with internet access could theoretically have gained entry.

“The biggest concern was the fact MongoDB in question also contained a large chunk of scanned documents (more than 200,000 contracts, NDAs, memos, letters and other internal documentation, properly OCR'd and stored) which apparently were stored by ABBYY partners using their administration console,” he explained.

The firm’s head of information security replied to Diachenko’s email requesting more info.

“Database access has been disabled soon after I sent him the IP address (two days after my initial notification), but questions still remain as of how long it has been left without password/login, who else got access to it and would they notify their customers on the incident,” he added.

A statement sent to the researcher following the incident claimed the “temporary data breach” affected just one of the developer’s customers, and that a “full corrective security review of our infrastructure, processes and procedures” has been undertaken.

ABBYY lists major global companies and governments among its customer base, including Deloitte, McDonald’s, Volkswagen and the Reserve Bank of Australia.

The firm is fortunate Diachenko found the trove of documents rather than online attackers who last year twice ran major campaigns in which data was stolen from exposed servers before being ransomed. It’s believed tens of thousands of victims were involved.

What’s hot on Infosecurity Magazine?