A hacker scanning for unsecured databases was able to compromise at least 58.8 million records – and possibly as many as 258 million – from Modern Business Solutions (MBS), a data management and monetization firm primarily serving the automotive, employment and real-estate industries.
According to an online report by Risk Based Security (RBS), an individual with the Twitter handle @0x2Taylor doxxed the stolen data twice last weekend on the file-sharing site MEGA – both times it was removed – and then again on a smaller file-sharing website. In a subsequent series of communications with RBS, the perpetrator claimed that the vulnerable MongoDB database was initially discovered by an acquaintance who then shared its IP address with him and other friends.
@0x2Taylor confirmed to RBS that the original hacker discovered the unprotected, open-source database using the search site Shodan.io. “In our experience, given the size of the database and the fact it was clearly from a MongoDB installation, our researchers immediately suspected Shodan was the tool used to identify the open database. This was later confirmed through conversations with the 0x2Taylor,” said Inga Goddijn, executive vice president and managing director of insurance services at RBS, an in email interview with SCMagazine.com.
Leaked information included names, IP addresses, birth dates, email addresses, vehicle data and occupations. At first, it was unclear who this data belonged too. However, “Our researchers were able to identify administrative records within the database. This information was used to link ownership to MBS,” explained Goddijn.
According to RBS, evidence suggests the data may have originated from MBS' cloud-based data management platform, called Hardwell Data, which according to the report allows customers to “collect, store and transfer data records regardless of format…” It is not clear to what extent the stolen data consists of customer records MBS was storing and managing on behalf of its clients, or how much of the data strictly pertains to MBS' own client base. SCMagazine.com has reached out to MBS for comment.
RBS worked with breach reporting site Databreaches.net to contact MBS and disclose the incident. Although the MBS reportedly did not issue a reply, RBS researchers have determined that the database has since been secured.
While the initial leaks exposed approximately 58 million records, @0x2Taylor later referenced an additional data set containing 258 million rows of personal data, presented in a format similar to the original leak. RBS was unable to confirm the validity of this additional data table because by then the database had been secured.
In a blog post today about the breach, security solutions provider Tripwire advised readers to see if their information was stolen by searching their details on the website Have I been Pwned?, which has added data from the MBS hack.
“Sadly, misconfigured MongoDB databases are all too common,” wrote security researcher Graham Cluley in a Tripwire blog post today about the breach, “and the use of search engines like Shodan has made it easier for hackers to identify internet-connected systems that are unsecured, or revealing themselves online when they should not be visible to the outside world.”