Data Leaks Expose Private Information Without Being Hacked

Although there have been many high-profile hacks, more often than not, data is not thoroughly protected and requires no authentication to access private information.

by Sean Sposito, San Francisco Chronicle / January 18, 2016

(TNS) — Thirteen million MacKeeper users; 3.3 million Hello Kitty fans; 191 million U.S. voters.

Recently, those people’s names, phone numbers and e-mail addresses, among other personal details, were found on the Internet because of leaky databases.

The number of those affected is astounding — made especially terrifying by the fact the data are out there, no hacking required.

“There are tons of these things just sitting out there with no authentication, no password,” said Chris Vickery, the security researcher who discovered those leaks. “You just punch in the IP address and, boom, it’s all there.”

Delving through a list of registered U.S. voters was as easy as placing the numeric URL in a browser.

All the gaffes affecting those databases have since been closed.

These flaws are systemic, spanning the gamut from databases underlying college research material to social media accounts, Vickery said. “All the way down to (data from) sensors from smart parking garages.”

He lays it out like this:

Systems administrators used to set up and maintain servers individually. Today, cloud computing and other fast-moving technologies have become so prevalent that it’s simpler for Web developers, who might not be focused on security, to do it by themselves.

As a result, sensitive information might have been better guarded in the days of clunkier processes.

Vickery, who works in information technology support at a law firm in Austin, Texas, said he often finds these nonsecure databases on Shodan, a search engine that catalogs servers and other Internet-connected devices.

In December, John Matherly, the founder of Shodan, said that he found hundreds of terabytes of data in similarly misconfigured databases.

Matherly specifically identified MongoDB, a type of database that eschews traditional structure.

In outdated versions of the software that remain widely used, its basic configuration left open such gaps.

MongoDB, Matherly said, is just the best known culprit. Others include Redis, CouchDB, Cassandra and Riak.

“The only reason this hasn’t been in the news more often is that it’s harder to discover,” he added. “It’s not like firing up a Web browser and visiting a website to see a database.”

Kelly Stirman, a vice president of strategy at MongoDB, reiterated that the security issues don’t lie within the company’s open-source software.

Rather, the gaffes are the fault of users.

“We have clearly prescribed security guidelines in our documentation, and we strongly encourage all users to follow them,” she said in an e-mail.

A spokeswoman described the situation as much like that of a person moving to a new house. Sometimes someone unwisely leaves the door open between trips to the car and back.

That’s seemingly what is happening in these cases.

©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.