Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Researcher Finds More Misconfigured Databases Exposing User Data

Chris Vickery, the researcher who identified tens of misconfigured databases that exposed the credentials of millions of users, reported finding more vulnerable databases.

Chris Vickery, the researcher who identified tens of misconfigured databases that exposed the credentials of millions of users, reported finding more vulnerable databases.

Over the past weeks, Vickery has been searching the Web for misconfigured databases that expose user information. His work made the news in mid-December when he reported finding a database storing the details of 13 million MacKeeper users.

The developer of the controversial OS X security and optimization tool, Kromtech Alliance, quickly addressed the issue and announced its intention to cooperate with Vickery as it continues to look for vulnerabilities and security issues in its products. Vickery told SecurityWeek that they will discuss the details of the cooperation at CES 2016, an event where he was invited by Kromtech.

“As far as I am informed, Kromtech is in the process of setting up an external cooperation with a range of independent security experts and groups to explore new ways to protect its product, infrastructure and users from the evolving cyber threats that companies both large and small face on a daily basis,” Vickery said via email.

At the time when the MacKeeper leak was disclosed, the researcher reported finding a total of approximately 25 million exposed accounts. The total count has now reached 30 million exposed credentials and the research is still ongoing.

Vickery told SecurityWeek that he initially focused on open Amazon AWS S3 buckets, and now MongoDB has taken the spotlight. has kept track of the companies whose databases are publicly accessible due to configuration issues. Last week, the website reported that a misconfigured database operated by Sanrio, the Japanese company that owns Hello Kitty, exposed the details of 3.3 million people, including their name, date of birth, email address, password, gender and country of origin.

Another affected organization is Alliance Health, whose MongoDB databases exposed the details of 1.5 million individuals who had registered an account on one of the company’s 29 social communities dedicated to people suffering from arthritis, diabetes, asthma, allergies, HIV and other conditions.

The list of impacted companies also includes Uncle Maddio’s Pizza Joint (164,000 affected customers), OkHello (2.6 million), and Slingo (2.5 million).

Vickery says he has identified dozens of publicly accessible databases and estimates that 15-20 percent of the affected organizations have secured the information they store. The expert noted that he hasn’t managed to notify all the impacted firms and in many cases it’s difficult to reach employees who can actually fix the problem.

“Most companies do indeed patch things up quickly once a high enough ranked staff member catches word of the issue,” the researcher said.

Misconfigured databases are a widespread problem. While Vickery is the first to name affected organizations, there have been several reports over the past year about misconfigured database management systems exposing data.

Earlier this month, Shodan founder John Matherly reported finding 35,000 MongoDB instances exposed online, 5,000 more than he identified in July. The databases, mostly hosted on Amazon, Digital Ocean and Aliyun, stored over 684 TB of data.

Matherly noted that misconfigurations are common for other database management systems as well, including Redis, CouchDB, Riak and Cassandra. This was also demonstrated in August by researchers at security company BinaryEdge, who reported identifying more than 1.1 PB of data exposed online due to misconfigured Redis, MongoDB, Memcached and Elasticsearch databases.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...