Over 58 million customer records have been stolen and leaked online by a hacker. Personal and sensitive information of customers including names, email and postal addresses, phone numbers, IP addresses and more have been stolen from an unsecured MongoDB database, operated by a US-based data storage company.
The data was reportedly stolen from Austin headquartered Modern Business Systems (MBS), which provides businesses with database hosting solutions and data storage, among other services. A hacker going by the handle 0x2Taylor on Twitter published much of the stolen data online. The hacker claimed to have used the search site Shodan.io to uncover the open database.
According to the collaborative efforts of security researchers at Risk Based Security (RBS) and DataBreaches.net, MBS was running an unsecured MongoDB database, which could have been accessed by anyone. MBS is yet to confirm the breach. However, according to RBS, the firm has been informed of the breach and has since secured the database. IBTimes UK has reached out to MBS for further comment about the breach.
The hacker also shared a screenshot containing a table of 258 million rows of personal data with security researchers, which indicated that he may be in possession of additional records. After leaking the data online, the hacker later posted a tweet, mulling over the idea of dumping more records. "Debating weather to drop the other 25.6 Million from Mod business Solutions bringing it to a total of 80+ million," 0x2Taylor wrote.
According to a report by the Register, a user identified as David R discovered that he was one among the millions affected by the breach, after having received a notification from the popular data breach notification site haveibeenpwned.com. "[I'm] pretty angry that they're just sticking their head in the sand and not telling us anything, especially when this is the 9th largest breach on haveibeenpwned," David R said.
0x2Taylor previously also claimed to have breached Amazon's servers, after having published a database appearing to have contained thousands of customer credentials on Twitter. However, the breach was later denied by Amazon. The firm later clarified that the accounts leaked were "not legitimate Amazon customer accounts."
Commenting on the breach, security expert Graham Cluley wrote in a post for Tripwire, "Sadly, misconfigured MongoDB databases are all too common, and the use of search engines like Shodan has made it easier for hackers to identify internet-connected systems that are unsecured, or revealing themselves online when they should not be visible to the outside world."