Skip to content ↓ | Skip to navigation ↓

ABBYY, the developer of optical character recognition and text-scanning software, left a server containing 142GB of a customer’s scanned documents exposed for anyone on the internet to access, no password required.

The AWS-hosted MongoDB server, accidentally left configured for public access, contained some 203,896 properly OCR’d contracts, non-disclosure agreements, memos, letters, and other sensitive documentation. TechCrunch reports that some of the exposed files date back as far as 2012.

The first ABBYY knew of the problem was when they were contacted by independent security researcher Bob Diachenko. As Diachenko explains in a LinkedIn post, he used the API of Shodan – a search engine that crawls the internet for connected devices – to discover the open accessible MongoDB installation, at which point in time he alerted ABBYY to the security issue.

A spokesperson for ABBYY was keen to describe the security breach as “a one-off incident” that “does not compromise any other services, products or clients of the company.”

They continued:

The incident in question concerns one rather than several customers and files bearing commercial information. The customer has been duly notified and we are cooperating on corrective measures. As soon as [Diachenko] notified us we locked external access to the documents. We have made all the notifications that are legally required, have conducted a full corrective security review of our infrastructure, processes and procedures.

The name of the affected company has not been made public, but a glance at ABBYY’s website reveals that it has some well-known multinational organisations as customers.

ABBYY secured the data two days after they were notified by Diachenko.

Of course, it is good that the sensitive information is no longer publicly accessible, but we don’t know how long the data was available for or if anyone malicious might have used the same techniques as Diachenko to discover it.

MongoDB comes with security features and provide a checklist for administrators to properly keep their databases out of the reach of unauthorised parties.

Unfortunately, many older versions of the database server are still in use, and they work by default without a password.

So it’s sadly no surprise to those who have worked a long time in the security industry that there continue to be news reports of organisations leaking data through publicly available, unauthenticated instances of MongoDB.

For instance, just last week Diachenko discovered an unsecured MongoDB instance used by a babysitter app that revealed sensitive details of 93,000 accounts including home addresses, number of children, phone numbers, address book contacts, partial payment card data, online chats, details about babysitting sessions and encrypted passwords.

And in the past, victims of hacks associated with MongoDB have included the likes of Verizon, ‘elite’ dating website BeautifulPeople, and 31 million users of an Android keyboard app.

In this day and age, connecting a naked, unsecured MongoDB instance directly onto the internet can only be described as reckless and inexcusable. The security issue is well known, and the means to protect against it is well-documented.

All computer users should feel like they can trust the companies that they deal with to treat their sensitive data with respect and not leave it lying around on the internet for anyone to come across.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.