Earlier this month, researcher Bob Diachenko announced that he found more than 2 million records of Mexican patients online. Upon further research, he found MongoDB vulnerability as the reason for this compromise. Once again, he discovered thousands of records leaked online due to MongoDB flaw. This time, it is the babysitting app Sitter that exposed customers’ data.
Babysitting App Sitter Leaked 93K Users’ Records
An independent security researcher, Bob Diachenko, found an exposed database including several thousand records indexed on Shodan. He then scratched the surface only to find out that the data belonged to the babysitting app Sitter. He found that a MongoDB vulnerability exposed around 93,000 customers’ records online. Later, he disclosed his discovery publicly via an article on LinkedIn.
As stated in his blog,
“On August 13th, 2018, Shodan indexed another unprotected database. Upon closer look, it appears that Sitter, “the No.1 app for managing babysitters”, inadvertently exposed its MongoDB instance to public.”
According to Diachenko, the dataset ranged around 2GB, containing 93,000 records that included explicit personal information as well as transaction details, encrypted passwords, and partial credit card numbers. Moreover, it also included notification logs, in-app chats, and requests for babysitters along with the date, time, and address.
Sitter Patched The Vulnerability
After his discovery on August 13, 2018, Bob Diachenko quickly informed the app. Consequently, Sitter also fixed the flaw shortly after receiving the alert. Below is a copy of the statement by Sitter as quoted by Diachenko.
“Sitter has already notified all of its users and partners of the temporary data breach you identified that resulted in the last week in the course of development of certain product enhancements. The security vulnerability was immediately re-secured. Sitter prides itself on trust, openness, and transparency with its users and is committed to maintaining a secure environment for its users.”
Though the researcher confirms that the database remained safe from any ransomware attack, the duration for which the data remained exposed online is yet unknown.
Take your time to comment on this article.