Nov 22, 2018 21:11 GMT
A publicly available and unprotected MongoDB database found by security researcher Bog Diachenko exposed 9,376,173 records of personally identifiable data collected by the Adapt.io data aggregator.
As detailed by Diachenko, the wide open 123 GB database was directly accessible by anyone with a MongoDB ID, an Internet connection, and the knowledge needed to find the exposed server.
The database records contained a wide range of information from individuals’ full names, company name and description, the company’s size and revenue to phone numbers, company domain, and the total number of contacts for the company and emails for each of the contacts.
“While the data itself might be non-sensitive, the availability of it online without any authentication is not something you would expect,” said Diachenko. “The lawfulness of web scraping as a method of gathering data is debated, but open access to private data is definitely illegal.”
Moreover, companies found to break EU’s General Data Protection Regulation (GDPR) are subject to fines of up to €20 million or 4% of their annual worldwide turnover, whichever is greater.
Although this should be incentive enough even for companies with multiple billions as annual turnovers, there still are enough organizations which don’t take data protection as seriously as they should.
Adapt did not provide any response to Diachenko’s contact attempts
Diachenko’s analysis of the leaked data led to a data aggregation service named Adapt.io which, according to its own website’s description, "provides access to millions of business contacts. Adapt’s free tools help you enrich business profiles on any website with email, phone and a number of contacts.”
Despite at least one Adapt.io representative being contacted by Diachenko as part of a responsible disclosure procedure, the data aggregation service did not provide any response or explanation of why the 123 GB MongoDB containing 9.3M records of PII data was left unprotected and publicly accessible.
Until further details are provided by Adapt.io, there is no info regarding the reasons behind their massive database of employee records being made publicly available.
Bob Diachenko found another 200 GB-sized public customer record database on September 5th, owned by the data recovery and backup company Veeam who forgot to secure its data and exposed 445 million records related to an automated marketing campaign using Marketo.
Seems like @Adapt_io-originated database surfaced online, with no login/password needed to view the data (comprehensive business directory with contact details = emails on pretty much each and every decision maker in the world). @troyhunt - worth loading into @haveibeenpwned ? pic.twitter.com/q03uSz4GTU — Bob Diachenko (@MayhemDayOne) November 6, 2018
Liquid Layer Networks