- Independent security researcher Bob Diachenko spotted a customer database with 11 million records.
- The database contains 10,999,535 email addresses from Yahoo!
- Personal data in the database includes names, addresses, state and city of residence and zip code.
A MongoDB database that contains 11 million personal records of customers was spotted online without any encryption by independent security researcher Bob Diachenko. the researcher used publicly available tools to scan the internet and found the dataset which was last indexed by search engine Shodan on September 13. It is unknown how long the database has been available for access prior to the finding.
According to Diachenko “The origin of data remains unknown, as database name itself did not give any clues as of potential owner. Also, data did not contain any administrator emails, system logs or host information. One hint was given in the description of the lists in which a particular email was part of – “Yahoo_090618_ SaverSpy”.”
Another spam (?) operator's dataset in the wild, with unusually high level of details: 11 million records. Name/lastname/zipcode/city/state/address. pic.twitter.com/rNR9SNZFCI
— Bob Diachenko (@MayhemDayOne) September 17, 2018
The MongoDB database contains names, addresses, state and city of residence and zip codes. Such a massive data pool can leave the listed individuals very vulnerable to all kinds of illegal activity. According to Diachenko, some of the data may be from the Quotient Technology’s websites SaverSpy and Coupons. A spokesperson from Quotient commented that the leak did not originate from the company’s end and there are no signs of a data breach. Both SaverSpy and Coupons use a similar signup process, and it seems like the data is stored in an unsecured database which is available for public access.
No phone numbers or payment card details were found in the MongoDB leak. However, outside of personal information, the database also included email correspondence status for a campaign and a confirmation if the promotional email went through. The database is no longer publicly visible, but internet users other than Diachenko have already accessed it. Earlier this month another database containing information of 42 million individuals was also leaked. The MongoDB database was marked as compromised in Shodan and included a ransom note demanding 0.4 BTC. No other details about the attack are currently known.