ABBYY – a Russian OCR developer and text recognition firm – has reportedly left exposed a treasure trove of scanned documents. The database remained online without password protection, allowing anyone to view the data. A researcher found the data using Shodan who then reported about it to the firm.
ABBYY Leaked 200K Scanned Documents Online
As disclosed by Bob Diachenko via his article on LinkedIn, ABBYY left a large number of official documents exposed online on an open server. Diachenko, an independent security researcher previously affiliated with Kromtech, stumbled upon this database while researching open MongoDBs via Shodan.
As stated in his blog post,
“On August 19th, I came across a 142GB US-based / AWS-hosted MongoDB, not protected by password and login, hence available for public access.”
He began analyzing the data to identify the owner. He found some files named “documentRecognition” or “documentXML” that hinted the owner to be a data recognition company. Later, while analyzing the user details from the exposed data, he identified the owner to be ABBYY – a content intelligence solutions provider.
The unprotected MongoDB not only exposed user details (corporate names and encrypted passwords) but also leaked thousands of company documents. As per his findings,
“MongoDB in question also contained a large chunk of scanned documents (more than 200 thousand contracts, NDAs, memos, letters and other internal documentation, properly OCR’d and stored) which apparently were stored by ABBYY partners using their administration console.”
Though his articles did not mention any precise number of documents, he told TechCrunch that there were 203,896 scanned files.
ABBYY Fixed The Flaw
After finding the open database, Diachenko informed the firm by sending notifications on some email addresses he took from the database. He then received ABBYY’s response regarding the ‘temporary data breach’.
“Thank you for your notification of a temporary data breach that affected one of our customers. We corrected this issue and appreciated your validation that the vulnerability noted was resolved. We have notified the impacted party and have taken a full corrective security review of our infrastructure, processes, and procedures. Our commitment to security and trust is extremely important.”
However, neither did ABBYY disclose the affected customer’s name, nor did they say anything regarding anyone else’s access to their database previously.
This incident adds one more to the research of Bob Diachenko regarding MongoDBs. Some days ago, he reported how a babysitting app ‘Sitter’ exposed 93 thousand customer records via open MongoDB.
Take your time to comment on this article.