On April 18th, during our regular security audit of nonSql databases with BinaryEdge search engine, I have discovered an open and publicly available MongoDB instance which contained astonishingly sensitive information on Iranian drivers. Information was…
Viewlift, a digital distribution platform, have been exposing data of its clients for several weeks back in November-December 2018, or maybe even earlier. According to Shodan historial data, Elasticsearch in question was indexed (hence publicly…
Sometimes databases are left wide open not only by legit companies, but misconfigured by malicious actors themselves. Last month I have discovered a publicly available database with almost 5GB of 11,535,164 records with compromised emails…
Medical data is among the most sensitive information that organizations can collect, store, or share. It is never a good idea to store medical data in plain text or leave it publicly accessible. The nightmare…
On March 21, 2019, I have discovered a publicly available service instance which appeared to contain credentials and login details to Auchan E-Commerce infrastructure. IP with Marathon and Zookeeper instances was indexed by public search…
On March 8th, 2019, I have identified a passwordless MongoDB database that was exposing sensitive information of an estimated 6,608 VivaGym job candidates and other business related data. VivaGym is a Spanish low-cost gym franchise…
On March 2nd, 2019, I have discovered an open and unprotected Elasticsearch cluster which contained 257,287 legal documents labeled as ‘not designated for publication‘. The research was part of our initiative to identify and alert organizations…
On February 25th, 2019, I discovered a non-password protected 150GB-sized MongoDB instance. This is perhaps the biggest and most comprehensive email database I have ever reported. Upon verification I was shocked at the massive number…
On Feb 22 2019, I found a copy of the Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster 4.4GB in size and available for public access to anyone who knew where to look…
On Feb 19, 2019, I have discovered a MongoDB that required no password. The database was located in an India region which (along with other data) also contained highly sensitive information collected on 458,388 individuals…
On January 22, 2019, we have identified a passwordless MongoDB database with almost 5 Million records labeled as CFDI (short for Comprobantes Fiscal Digital por Internet) – the electronic billing schema defined by the Mexican federal tax…
On Nov 29th 2018 I have identified an unprotected Elasticsearch cluster, available for public access, via Shodan engine. It took me some time before I analyzed the data and noted that almost all payment information…
On January 10th, I identified an unprotected Elasticsearch cluster which contained 51 GB of what appeared to be OCR (Optical character recognition) credit and mortgages reports, with total number of records in the database more…
On January 11th, Bob Diachenko of SecurityDiscovery.com, identified another unprotected Elasticsearch instance which contained millions of records – this time related to AIESEC, “the world’s largest youth-run organization. According to Wikipedia the AIESEC network has…
On December 1st 2018 Bob Diachenko found a misconfigured database that has publicly exposed millions of user contacts, SMS, and call records that appear to belong to Tri.co.id. With over 260 million total records this…
Researchers from SecurityDiscovery.com have found a security flaw in an Apache Airflow instance which allows anybody with an internet connection to view database credentials. It appears that the instance belongs to the Howard Hughes Corporation….
Kars4Kids is a charity that asks people to donate their cars, motorcycles, RVs, and real estate. They are most known for their nationwide advertising using their hypnotic theme song where a child and a Johny…