A huge customer database containing 11 million records that include personal details, has been discovered on Monday sitting online, unprotected.
The data was available from a MongoDB instance set up on the hosting infrastructure from Grupo-SMS USA, LLC, and could be accessed by anyone able to find the path to it.
Independent security researcher Bob Diachenko found the information by scanning the internet using publicly available tools. His research revealed that the dataset had been last indexed by Shodan search engine on September 13, but it is unclear how long it was open for access before that date.
The collection is 43.5GB large and contains 10.999.535 email addresses, all of them from Yahoo!, the researcher says. It also holds names (first and last), physical addresses, ZIP code, and customers' state and city of residence.
... ... ...
This information alone is a boon for criminals running all sorts of illegal or shady businesses: spammers, scammers (tech support, tax), botnet herders, or malware peddlers of any kind (ransomware, cryptomining, spyware, info stealers, banking).
Ownership of the database: unknown
A sample from the database shared by Diachenko shows that some records may be from users of SaverSpy website, which provides printable and digital discount coupons for a wide range of products.
... ... ...