Veeam leaves MongoDB database wide open, exposes 445m records

Veeam, a Swiss-based company that develops backup, disaster recovery and intelligent data management software and which markets itself as a data giant that can “move securely across multi-cloud infrastructures”, seems to have left a 200GB MongoDB database open and defenseless, exposing 445m customer records.

Former Kromtech security researcher Bob Diachenko said in a blog post on Tuesday that he came across the Amazon Web Services- (AWS-) hosted database last Wednesday when he was using the IoT search engine Shodan.

The database had last been indexed on 31 August, Diachenko said, but he’s not sure how long the records were exposed.

The publicly searchable, wide-open database quietly slipped back into secure mode four days later, as of 9 September. TechCrunch’s Zack Whittaker says that the server was pulled offline three hours after the publication informed the company about the exposure.

The records didn’t contain terribly sensitive information – they included, among other things, first and last names, email addresses, customers’ countries, customer size, and some IP addresses – but that’s plenty enough for spammers, spear-phishers or other bad actors to work with.

In fact, misconfigured MongoDB instances – which, unfortunately, crop up all the time – have their very own flavor of ransomware. Called Mongo Lock, as of January 2017 it was plucking the contents of tens of thousands of unprotected MongoDB databases, exporting it, and replacing it with a ransom demand.

As Diachenko notes, issues with MongoDB have been known, and widely reported, since at least March 2013. Still, more than five years later, MongoDB databases keep turning up in Shodan.

The database’s history has much to do with its rocky security road: on some systems the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Admins are supposed to reconfigure the settings, but many don’t. The result is an internet-connected database with no access control or authentication.

That’s since changed: starting with version 2.6.0, MongoDB began denying all networked connections to the database unless explicitly configured by an administrator.

As far as Veeam’s database goes, a spokesperson told TechCrunch that it’s looking into the matter:

We will continue to conduct a deeper investigation and we will take appropriate actions based on our findings.