[dpina]

> Update 2: Earlier this afternoon, Chris Vickery confirmed that the three IP addresses that were disclosing user information have been secured. The issue wasn't a hack, but a misconfigured MongoDB installation.

> The source of the configuration error isn't clear, as neither the ISP nor Sanrio has answered questions on the matter.

A MongoDB database open to the outside world on a public IP address?

[mortehu]

> A MongoDB database open to the outside world on a public IP address?

Maybe someone was inspired by this article?

https://blog.shodan.io/its-still-the-data-stupid/

> At the moment, there are at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet. [...] all of the exposed databases combined account for 684.8 TB of data.

[Kristine1975]

These things happen to the best: In 2001, the World Economic Forum had their MS-SQLServer with personal data of the participants connected to the Internet. With the standard account enabled (user: "sa", password: empty). It then got "hacked" and the data leaked.

German article about it: https://www.woz.ch/-41f8

[mkhpalm]

Why is everybody immediately making these types of diversion responses regarding relational datastores to mongodb breaches? Mongo has popularity and 2 fixable issues that make the exposure numbers outweigh those of every other datastore right now.

1. There is no password prompt during installation. This was the same problem many relational databases had back in the day with default user credentials. Today, I don't know of a single relational datastore that comes with default credentials during installation. (ignoring things that shouldn't go to production like homebrew) Individually, they all said it was a "security threat" and did something about it.

2. Things like MMS or other offering from MongoDB itself expect you expose your nodes externally so they can manage things for you. This can easily be made secure... but its contradictory in nature. It suggests to somebody who probably doesn't know what they're doing on the IT or DevOps fronts to do something more easily dangerous than not... just so they can sell their vendor services to you. Its a recipe for disaster but its also easily fixable with a few design changes on their side.

[Kristine1975]

I guess you could read my post as "others aren't better than MongoDB", but that wasn't my intention. I merely remembered the WEF anecdote and thought I'd mention it here (although it's unfortunate I didn't find an English source for it).

MongoDB is repeating the same mistakes others made 15 years ago.

[mkhpalm]

Apologize, wasn't really directed at you. I'm sure you've seen all the other comments related to this type of news.

Sounds like we both agree that MongoDB is repeating the same mistakes others had made 15 years ago. The only difference is, back then, there was a less dramatic excuse for how it got that way.

[eli]

i.e. the default configuration

But yeah, that's not good.

[nacs]

> i.e. the default configuration

The default configuration for MongoDB is to listen on localhost only. Someone changed the configuration if it was listening on a public IP.

[drzaiusapelord]

This is only true after the Mongo people were lambasted on the web for having such a terribly insecure out of the box product. Which was fairly recently. For years the product would bind to all IP addresses. Which is insane for a default install.

Feb 2015:

Discovered 40,000 vulnerable MongoDB databases on the Internet

http://securityaffairs.co/wordpress/33487/hacking/40000-vuln...

The changes were made after this, so we're only talking a few months now.

[gruez]

>The default configuration for MongoDB is to listen on localhost only

That's true, but I remember that change was only made recently. Before, mongo would listen on all IPs and had no passwords.

[eli]

Some official distributions listened to all addresses by default (by design) until recently. https://blog.shodan.io/its-the-data-stupid/

[dpina]

Oh I see. Assumed it was like mysql/mariadb where secure_installation by default asks to remove access from outside.

It also implies frontend server includes the DB, typically a sysadmin would de-couple it so this shows lack of experience.