Unprotected MongoDB: Medical Data of Veterans affected by sleep disorders leaked
MongoDB database is being used by high-profile platforms worldwide but recently it is in the news for all the wrong reasons. It was just a couple of days ago when a researcher discovered a ransomware scam targeting Mongo users and now Chris Vickery and his research team at MacKeeper has discovered a database belonging to Militarysleep.org, a medical initiative to help veterans with sleep disorders.
The database contains personal details of over 1,200 veterans who have been suffering from some kind of sleep disorders. The data in this database contains names, email addresses, clear-text passwords, mobile phone numbers, history related to their service in the military and their ranks.The worse thing about this database is that researchers also got their hands on chat logs between patients and doctors discussing their medical problems including email conversations from @us.army.mil email domain.
The database according to Vickery is over 2GB however it must be noted that this was not a hack attack, the database was publically accessible. The reason why MongoDB databases are exposed like this is not a vulnerability issue but a configuration fault, which can be understood as weak or poorly executed security measure. This is why any remote attacker can access MongoDB databases without making use of any specific hacking tool.
The issue was however resolved in the software’s next version by setting unrestricted remote access as “off” in the configuration settings. However, the alarming part is that a large number of site administers (probably thousands) haven’t updated their servers even today. The time has come for exploiters to make use of this negligence from site admins and make instant money out of it.
This is not the first time when an unprotected MongoDB has been found available for public access. Last year, in two different incidents, more than 36 million and 58 million accounts were leaked respectively from unsecured MongoDB databases.
Also, Vickery is the same researcher who discovered voters data of American and Mexican citizens. He also discovered US voters’ registration records and a terrorist database that was leaked from an unprotected database. In case you want to contact the researcher or read more about this story we recommend going through Vickery’s blog post here and an analysis from Databreaches here.