Security Experts:

Researcher Finds More Misconfigured Databases Exposing User Data

Chris Vickery, the researcher who identified tens of misconfigured databases that exposed the credentials of millions of users, reported finding more vulnerable databases.

Over the past weeks, Vickery has been searching the Web for misconfigured databases that expose user information. His work made the news in mid-December when he reported finding a database storing the details of 13 million MacKeeper users.

The developer of the controversial OS X security and optimization tool, Kromtech Alliance, quickly addressed the issue and announced its intention to cooperate with Vickery as it continues to look for vulnerabilities and security issues in its products. Vickery told SecurityWeek that they will discuss the details of the cooperation at CES 2016, an event where he was invited by Kromtech.

“As far as I am informed, Kromtech is in the process of setting up an external cooperation with a range of independent security experts and groups to explore new ways to protect its product, infrastructure and users from the evolving cyber threats that companies both large and small face on a daily basis,” Vickery said via email.

At the time when the MacKeeper leak was disclosed, the researcher reported finding a total of approximately 25 million exposed accounts. The total count has now reached 30 million exposed credentials and the research is still ongoing.

Vickery told SecurityWeek that he initially focused on open Amazon AWS S3 buckets, and now MongoDB has taken the spotlight.

Databreaches.net has kept track of the companies whose databases are publicly accessible due to configuration issues. Last week, the website reported that a misconfigured database operated by Sanrio, the Japanese company that owns Hello Kitty, exposed the details of 3.3 million people, including their name, date of birth, email address, password, gender and country of origin.

Another affected organization is Alliance Health, whose MongoDB databases exposed the details of 1.5 million individuals who had registered an account on one of the company’s 29 social communities dedicated to people suffering from arthritis, diabetes, asthma, allergies, HIV and other conditions.

The list of impacted companies also includes Uncle Maddio’s Pizza Joint (164,000 affected customers), OkHello (2.6 million), and Slingo (2.5 million).

Vickery says he has identified dozens of publicly accessible databases and estimates that 15-20 percent of the affected organizations have secured the information they store. The expert noted that he hasn’t managed to notify all the impacted firms and in many cases it’s difficult to reach employees who can actually fix the problem.

“Most companies do indeed patch things up quickly once a high enough ranked staff member catches word of the issue,” the researcher said.

Misconfigured databases are a widespread problem. While Vickery is the first to name affected organizations, there have been several reports over the past year about misconfigured database management systems exposing data.

Earlier this month, Shodan founder John Matherly reported finding 35,000 MongoDB instances exposed online, 5,000 more than he identified in July. The databases, mostly hosted on Amazon, Digital Ocean and Aliyun, stored over 684 TB of data.

Matherly noted that misconfigurations are common for other database management systems as well, including Redis, CouchDB, Riak and Cassandra. This was also demonstrated in August by researchers at security company BinaryEdge, who reported identifying more than 1.1 PB of data exposed online due to misconfigured Redis, MongoDB, Memcached and Elasticsearch databases.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.