“An unprotected and public-facing MongoDB database containing over 275 million records of personal information on Indian citizens has been discovered on search engine Shodan,” writes Slashdot reader helpfulhecker.
BleepingComputer reports that the detailed personally identifiable information was exposed online for over two weeks:
Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache of PII data was first indexed on April 23, 2019. As he found out after further investigation, the exposed data included information such as name, gender, date of birth, email, mobile phone number, education details, professional info (employer, employment history, skills, functional area), and current salary for each of the database records.
While the unprotected MongoDB database leaked the sensitive information of hundreds of millions of Indians, Diachenko did not find any information that would link it to a specific owner. Additionally, the names of the data collections stored within the database suggested that the entire cache of resumes was collected “as part of a massive scraping operation” for unknown purposes.
Two months ago Diachenko also helped uncover over 800 million exposed email addresses in another unprotected MongoDB database. And in January an investigation with TechCrunch also discovered millions of highly sensitive financial documents from tens of thousands of individuals who took out loans or mortgages.
The same month Diachenko also discovered an exposed 854 gigabyte MongoDB database filled with resumes from over 200 million job-seekers in China.