Document-reading software flinger ABBYY exposed more than 203,000 customer documents as the result of a MongoDB server misconfiguration.
The AWS-hosted MongoDB server was accidentally left publicly accessible and contained 142GB of scanned documents including over 200,000 scanned contracts, memos, letters and other sensitive files dating back to 2012. No username or password would have been needed to access this sensitive info before the hole was plugged.
Independent security researcher Bob Diachenko discovered the breach and alerted the software vendor. The data dump was discovered through Shodan, the machine data search engine, while Diachenko was investigating whether measures had been taken to avert MongoDB ransomware attacks, a particular problem last year.
ABBYY responded by blocking public access to the insecure system, allowing Diachenko to go public about his findings.
"Questions still remain as [to] how long it has been left without password/login, who else got access to it and would they notify their customers of the incident," Diachenko wrote in a LinkedIn post related to the breach.
The name of the particular ABBYY client whose data was exposed has not been disclosed. ABBYY admitted the breach, which it described as a "one-off", but said it had been resolved and had no impact on its various cloud-based services. The affected client was informed about the breach, which did not result in the disclosure of data to hackers, ABBYY said.
Last week, we were notified of a vulnerability affecting one of our MongoDB servers. MongoDB database software is widely used by enterprises. As soon as we got the email, we locked external access to the database, notified the impacted party, and took a full corrective security review of our infrastructure, processes, and procedures.
Our detailed investigation has shown that:
- Only one client was affected. Said client has been notified, and all the necessary corrective measures have been taken.
- No data was lost to an unknown party during the exposure.
- The system is in a fully secure state.
Most importantly, this is a one-off incident and doesn't compromise any other services, products or clients of the company. There is no relationship with or impact to CloudOCRSDK.com, FlexiCapture.com or any of our global cloud offerings. Additionally, no impact to any FlexiCapture or FineReader solution sold or promoted by ABBYY (cloud or on-premise).
We thank the research community for pointing out the vulnerability. The issue has been addressed and corrected. We are and will be taking all and any steps necessary to make sure it does not happen again.
MongoDB comes with security features as well as advice for administrators on how to secure systems. Default configuration of older versions of the database work without password access. Misconfigured MongoDB servers remain a common cause of security problems, and infosec watchers are unimpressed that ABBYY failed to heed the lessons of similar breaches.
"Victims of hacks associated with MongoDB have included the likes of Verizon, 'elite' dating website BeautifulPeople, and 31 million users of an Android keyboard app," said industry veteran Graham Cluley in a post on the TripWire security blog.
"In this day and age, connecting a naked, unsecured MongoDB instance directly onto the internet can only be described as reckless and inexcusable. The security issue is well known, and the means to protect against it is well-documented." ®