Veeam Manages to Expose Data in MongoDB Snafu

Written by

Data management firm Veeam has been left red-faced after a misconfigured MongoDB server was allowed to publicly expose 445 million records, including prospective customer names and email addresses.

Independent researcher Bob Diachenko claimed to have discovered the Amazon-hosted IP address, which was indexed on August 31, on September 5. Found via a simple Shodan search, it was left exposed without a password until September 9.

The 200GB trove appears to have been used by the company’s marketing automation team and included hundreds of millions of records collected from 2013 to 2017.

Publicly exposed data included customers’ first and last names, email addresses and recipient type (end-customer or partner), country, organization size and more, according to Diachenko.

“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers. It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs (with much more extortion amount demand than it was last year),” he commented.

“As I have already reported, issues with MongoDB have been known since at least March of 2013 and have been widely reported since. The company has updated its software with secure defaults and has released security guidelines. It's been five years now and these unsecured databases are still widely available on the internet.”

The news will be rather embarrassing for a firm which sells back-up and “intelligent data management” solutions to help firms “move securely across multi-cloud infrastructures.”

However, it seems to have acted pretty quickly to secure the server once notified by reporters.

A statement from the company claimed that the records were “non-sensitive” prospect emails, although that would still theoretically be enough to launch phishing attacks at the individuals.

“We have now ensured that all Veeam databases are secure,” it added. “Veeam takes data privacy and security very seriously, and a full investigation is currently underway."

Veeam President, Peter McKay has since confirmed that many of the records exposed were duplicates, and that the total number of unique email addresses affected is 4.5m.

What’s hot on Infosecurity Magazine?