UK-based marketing firm, Snaptrip, has recently joined the trail of accidental data exposures. Through its unprotected database, Snaptrip exposed customers’ data including explicit personal and payment information.
Snaptrip Exposed Customers’ Data
Security researcher Bob Diachenko encountered another unsecured MongoDB. The database belonged to a London-based company ‘Snaptrip’ that serves as a ‘last-minute’ cottage deals service. Snaptrip exposed customers’ data from sensitive details through their unprotected database.
As disclosed in his blog post, he found the publicly open MongoDB on May 21, 2019. Upon digging within the matter, he found exposed admin credentials and hashed passwords. The database entitled ‘Snap-Trip-Api’ exposed 1006 records including sensitive personal and payment data of the customers. Specifically, the personal details included customers’ full names, contact numbers and addresses, and email addresses. Whereas, the payment data included credit card details such as brand/name/type/PAN token/CVV token.
Database Closed Shortly After Shodan Indexing
The researcher noticed that Shodan indexed the open database’s IP on May 17, 2019. Whereas, he discovered the database on May 21, 2019, (four days after indexation). Following this discovery, he quickly informed the company about the matter. Appreciably, the database went offline within hours after the report.
While the company has taken the database offline, it remains unconfirmed whether they informed the customers about the incident. The firm didn’t reply to the researcher on such queries.
Just recently, we got to know how a hacking group ‘Unistellar’ wiped off 12,000 open MongoDB databases. The hackers simply leveraged the opportunity to draw ransom from these firms. Even if they fail to do so, they still have got a treasure trove of data which they can use for various malicious activities. For instance, one of the databases they hacked recently, contained 275 million records belonging to Indian citizens. Imagine what an enormous bulk of data they would have acquired if every hacked database included such huge data.