November 18, 2018

Nearly 700,000 Amex India customers exposed via unsecured MongoDB server

Personal data of nearly 700,000 Amex India customers exposed online via a mongo DB server, which was left unsecured unintentionally. The unsecured online server discovered as password less three weeks ago by Bob Diachenko, Director of Cyber Risk Research at cyber-security firm Hacken.
Most of the data in the server appeared as encrypted format and you have to put decryption key to access and read the data, but the researcher said 689,272 records were stored in plain text and anybody could have access online of those information.

Diachenko says, the plaintext records contain personal informations of customers like full name, phone number, address, and card type in description field. However these data is not so useful to do any compromise but it is more than enough to run a spam campaign.
On the other side the encrypted record, which summed as 2,332,115 entries. Which contains more information based on mongo DB table header. Such as customer full name, Adhar Number, addresses, PAN card numbers and phone numbers.

"Upon closer examination, I tend to believe that the database was managed not by Amex but one their subcontractors responsible for SEO or lead generation," said Diachenko.
Nonetheless, Amex India claimed that investigation did not discover any "evidence of unauthorized access," suggesting that Diachenko could have been the only person who accessed the server during its exposure.

Diachenko also found an unsecured Elastic Search cluster, which contains millions of records of Mindbody (one of the largest wellness service provider in US), just two weeks before discovering the vulnerable Amex server. He also found data leaks from Maryland consulting firm well known for the fundraiser for the Democratic party.


Post a Comment