Over 650 TB of Data Up For Grabs From Publicly Exposed MongoDB Database

itwbennett writes: A scan performed over the past few days by John Matherly, the creator of the Shodan search engine, has found that there are at least 35,000 publicly accessible and insecure MongoDB databases on the Internet, and their number appears to be growing. Combined they expose 684.8 terabytes of data to potential theft. Matherly originally sounded the alarm about this issue back in July, when he found nearly 30,000 unauthenticated MongoDB instances. He decided to revisit the issue after a security researcher named Chris Vickery recently found information exposed in such databases that was associated with 25 million user accounts from various apps and services, including 13 million users of the controversial OS X optimization program MacKeeper, as reported on Slashdot on Wednesday.

Anyone who uses mongodb....

[Viol8]

... deserves to lose their data as a lesson not top use amateur hour software.

Field data longer than 8kb? Ooh, can't index that and it won't get returned in a query using that index.

Shard gets corrupted? Oh bad luck, thats some of your data gone - unless you've used also replication in which case you'll have spent 2 months trying to set it all up.

Lots of concurrent writes? Yeah, well, with monogdbs single monolithic write lock - good luck with that.

Want a DB that uses encrypted network transfers between shards and replica sets? Sorry.

Want a DB that uses a sane query language - ie not one thats a nightmare mashup between pure javascript and parameter passing using javascript to an underpowered underlying query engine? Don't use mongo.

Etc , the list goes on.

Re:NoSQL is amateur land.

[anchovy_chekov]

Well, thanks to Rails and similar frameworks we've been treating the database as a dumb data repository for years. Not surprised that the kids have no idea how to make the things work properly.

Re:NoSQL is amateur land.

[CastrTroy]

I'm not sure about Postges, but the default install of MySQL will only listen on localhost. So you have to change your config file to even get it to respond from a remote computer. Then there's the account you're actually accessing it from. By default, the root account in MySQL is also only accessible from localhost. So that's 2 things you have to change simply to even allow a connection from a remote machine in MySQL.

I agree that there''s a bigger problem with people just wanting to "get the job done". Even those two steps only take about 20 minutes to figure out how to get around them and leave your root account accessible from the internet, even if you have no idea what you are doing. But shipping the database with such lack security is right up there with default passwords on home routers and other such problems. Stuff like this just shouldn't happen. Even if the security can be easily disabled by a determined user, it shouldn't be insecure by default. That way, if they have an insecure setup, at least it's because of something they actively went out and did themselves.