Data that belongs to more than 66 million users has been found on a website which was completely accessible to everyone. The records seemed to appear as if they were scraped from profiles in LinkedIn.
The data may also include personal information which could be used to personally identify users, and hackers could create a phishing attack based on this data.
In addition to this, Bob Diachenko, the director of Cyber Risk Research at Hacken, the MongoDB database was exposed without any request of authentication, leaving the data consisting of exactly 66,147,856 records. The information contained the following details about each user:
- E-mail address.
- Location details.
- Phone number.
- Previous employers.
- Link to profile.
Not only this, but the records also exposed personal as well as professional e-mail addresses, and the location was also specified to country, state, and city.
The Leak Found Via Web Scraping
The researcher who found the leak first discovered a repository which had approximately 50 million records. The actual leak in its sense is not a leak that is done on purpose, but happened as a result of researchers performing the so-called “web-scraping” – the activity of extracting data from a website. This follows a MongoDB database discovery, impacting over 120 million up to date records. Not only this, but MongoDB also suffered ransomware attacks in a rapid increase of the infection rate in successful ransomware attacks:
Only recently in September, MongoDB had a virus attack which impacted web apps and websites and caused them to malfunction on a massive, global scale, likely compromising 93 terabytes of data from 12,000 MongoDB servers and demanding 1 BitCoin to be paid for the recovery of the data there.
Moreover, researchers in Florida have discovered around 22 million records which also have employee candidates’ personal addresses, e-mails, names and the job searching areas they are interested in.
And when it comes to personal information, security researcher Diachenko stated in his report that while this information is available to the public, it is not a good idea to use the hidden data of the user, since it is illegal.