For more at least a week in December, an open MongoDB server exposed more than 200 million records with resumes of Chinese job seekers.
On December 28, Bob Diachenko, director of cyber risk research at HackenProof, discovered an 854GB MongoDB database, containing information on “candidates’ skills and work experience but also on their personal info, such as mobile phone number, email, marriage,children, politics, height, weight, driver license, literacy level, salary expectations,” Diachenko wrote in a blog post, and which didn’t require password/login authentication to access.
“In the case of this data breach, or data exposure, the unprotected data was open and available for about a week, according to the report,” said Jonathan Deveaux, head of enterprise data protection for Comforte. “Forensics from past data breaches have revealed that outside access to data was typically available for months, and sometimes years. Therefore, one might say that the owners of this database were ‘lucky’ that the data was only exposed for a week.”
Deveaux said regardless of the reason behind the exposed database, the “incident surely points out that any kind of data could be at risk at any given time. More must be done to consider data protection and privacy at the earliest point of entry into databases, files,and other stored areas, as to minimize exposures of all sizes.”
Rod Soto, director of security research at JASK, said such incidents, which exploit a vulnerable product “raises the question of if software developers should be mandated to introduce automatic patching of their code, even if this change would bring on additional risks or downtime.”
While forcing updates or patches can lead to unintended consequences, Soto maintained, “due to the amount of breaches like this and related criminal activity that comes with them, it is time to weigh the pros and cons of leaving these products unpatched and exposed vs. patching/securing them and dealing with the collateral effects.”