More than 2,000 MongoDB databases operated by major domestic and foreign companies were left accessible under the government programme
Thousands of MongoDB databases operated by major domestic and foreign companies in Russia were left exposed for more than three years under a scheme that requires organisations to alow the government to access their data.
The companies affected included banks, telcos and even Disney Russia, according to Dutch researcher Victor Gevers.
MongoDB is typically used for the analysis of large amounts of information, with, for instance, the UK’s Met Office using it to process huge amounts of data from outer space for space weather forecasts.
But when left unsecured they can be targeted by hackers, as occurred two years ago, when Gevers discovered that tens of thousands of MongoDB databases had been deleted by hackers, who requested a ransom to be paid in Bitcoin for their return.
In this case, the databases were operated by private companies in order to provide the Russian government with access to company data.
But the government “firstname.lastname@example.org” credentials were set up without a password, meaning anyone could have accessed the databases from the internet, Gevers said.
Gevers said he didn’t investigate what the databases contained, in order to protect companies’ privacy.
He said Russian law requires the government to be provided with access to company systems that handle financial transactions.
He first discovered the government credentials on a Russian Lotto website, and later found the same credentials used on more than 2,000 others, including Russian banks and financial services companies, and Russian telecoms company TTK, whose network operations centre (NOC) and security information and event management (SIEM) platforms were exposed.
Gevers found a MongoDB instance operated by the Ukraine’s Ministry of Internal Affairs which also used the unsecured Russian administrator credentials, in spite of the fact that Russia and the Ukraine had been in conflict for at least two years at the time.
That database contained data on investigations into corrupt politicians by the Ukraine’s General Prosecutor’s Office, Gevers said.
Gevers reported the issue to the Russian government in 2016, but said it took more than three years for the issue to be resolved.
He said he has never had a response from Russia, but that the credentials have not been surfaced for several months.
“The bottom line is if you let a government choose a password, make sure they don’t use the same credentials or password formula the same way over and over,” Gevers told itnews.