An unsecured MongoDB server leaked 66 million scrapped user profiles

• An unsecured MongoDB database that contained over 66 million scrapped user profiles, was discovered, adding to a total of over 120 million leaked profiles data discovered since October 2018.
• The exposed data included people’s names, emails, location details, skills, employment history - likely to have been sourced from their LinkedIn profiles.

Any instance of a data breach, which leads to exposure of sensitive user data like credit card information, always gains a lot of attention. Once again, a misconfigured cloud server has leaked copious amounts of sensitive data in yet another massive breach.

Over the last few months, several large unsecured databases containing sensitive user data have been discovered by security researchers. One such database was recently discovered by Bob Diachenko, director of cyber research at Hacken. The unsecured MongoDB server contained millions of scraped user profiles.

A flood of scraped data

“In total, we can confirm there are now 66,147,856 unique records exposed in what seems to be different “chapters” of the same huge collection of data….The three-part database was hosted on different IPs and was exposed due to the lack of authentication in the case of the MongoDB instance,” the researchers at Hacken reported.

Since this data contains the type of information usually available on public platforms like LinkedIn, the profiles were likely scraped from such a platform. This breach adds to the other findings from the same team, adding up to a total of over 120 million records.

“The three-part database was hosted on different IPs and was exposed due to the lack of authentication in the case of the MongoDB instance. It did not contain any sensitive personal data such as credit card details or passwords,” Hacken researchers added. “We could not identify the owner of the MongoDB hosted database due to the lack of recognizable patterns in the dataset structure.”

How to check if you were exposed?

Even though the database is no longer available online, it could still resurface on a different location. The scraped data is being uploaded to the HaveIBeenPwned service which allows users to check whether their data has been exposed.

The legality of scrapping is somewhat of a grey area. Diachenko said that while it is legal to copy or download publicly available information online, using it for malicious purposes is illegal.

Such data breaches suggest that it would be wise for users to only share minimal information on social media profiles. Users should also especially avoid sharing any sensitive information like financial or health data.