Optical character recognition software provider ABBYY accidentally exposed over 200,000 highly sensitive corporate documents via an unprotected MongoDB database. The cache in question was left publicly accessible online without any password protection.
The incident was discovered by a security researcher named Bob Diachenko who revealed that the database contained 142GB data and was hosted on the Amazon Web Services (AWS) infrastructure in the US.
“On August 19th, I came across a 142GB US-based / AWS-hosted MongoDB, not protected by password and login, hence available for public access. In order to identify the owner and follow responsible disclosure, I started to analyze samples from the database. Some collection names like 'documentRecognition', or 'documentXML' hinted that database would be part of a data recognition company infrastructure” independent security researcher Bob Diachenko wrote in his blog post.
The security expert confirmed that the exposed files included contracts, non-disclosure agreements, memos and other confidential documents dating back to 2012. The leaked data also included corporate usernames and scrambled passwords.
Diachenko said that he notified ABBYY’s head of information security about the breach, after which ABBYY took appropriate security measures. The firm has disabled access to the affected MongoDB database and password protected it. However, it still remains unclear as to how long the data remained exposed on the internet before ABBYY secured its database.
“Database access has been disabled soon after I sent him IP address (2 days after my initial notification), but questions still remain as of how long it has been left without password/login, who else got access to it and would they notify their customers of the incident” Diachenko added.
Meanwhile, the firm has notified affected clients and is also proactively reviewing its security processes and procedures.
“We corrected this issue and appreciated your validation that the vulnerability noted was resolved. We have notified the impacted party and have taken a full corrective security review of our infrastructure, processes and procedures. Our commitment to security and trust is extremely important,” ABBYY told Diachenko.