Slashdot Mirror

← Back to Stories (view on slashdot.org)

MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com)

Posted by msmash on from the you-just-got-famous dept.

An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.

29 of 69 comments (clear)

  1. I'm sure the MongoDB devs must be proud by Anonymous Coward · · Score: 4, Insightful

    Look at all this fail they've enabled with their shitty defaults.

    Even mysql demands that I configure a root password when I install it.

  2. Turkey... by SumDog · · Score: 1

    It's happened with Turkey and now Mexico (although with Turkey that was more malicious).

    We haven't had this sense of digital identity that we have today. In the US, our tax numbers are secrete (SSN numbers) but in many other countries, tax ID numbers are considered public or non-identifying (Australian's TFNs and NZ's IRD # come to mind).

    Go back 100 years and you didn't have passports or work visas. If you could speak the language in your destination, you could go and attempt to work and survive (and if you failed there was a good chance you'd end up a slave; either by selling yourself or being sold).

    Today you are attached to a digital identity. It is you, and a you that you cannot escape. Your crimes will always follow you. You cannot live or work anywhere without that digital identity of you being allowed to.

    This just needs to happen in the US. The release of everyone's names, addresses, SSNs and SSN questions/histories would be almost a Fight Club like reset.

    1. Re:Turkey... by Cimexus · · Score: 2

      That not how I would characterise the difference between Australian TFNs and US SSNs (I have both).

      In Australia, the TFN is a very sensitive piece of information and the only people who would ever ask for it are those you would expect to ask for a tax number: the tax department, your employer, and your bank/financial institutions. There are strict guidelines governing its use and it is explicitly defined as identifying information: https://www.oaic.gov.au/indivi...

      On the other hand, the US SSN is used for freaking everything. I had to prove my SSN to sign up for cable TV! I'd say the Australian TFN is far more 'secret' than the US SSN...

  3. Phillipines too-55M records by schwit1 · · Score: 1

    Less than a month ago http://www.theregister.co.uk/2...

  4. Hey, Look! by Rich_Lather · · Score: 1

    Florida's voter rolls were uhhhh Hacked! http://flvoters.com/by_name/in...

  5. Obligatory by galabar · · Score: 2

    https://www.youtube.com/watch?...

    1. Re:Obligatory by Anonymous Coward · · Score: 1

      Mongo only pawn in game of life...

  6. Re:132GB?? by fsagx · · Score: 1

    Webscale!

  7. Re: So the new Ubuntu with its missing systemd... by Anonymous Coward · · Score: 1

    systemd is simply a disaster.

  8. Stop treating Mongo as a real DB by Viol8 · · Score: 4, Insightful

    ... and start treating it as a key-value file system and it all makes sense. Sadly the mongo devs want us to think its a competitor to mySQL or even Oracle. Yeah, right.

    Amateur hour DB + amateur hour admins = trouble ahead.

    1. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 2, Insightful

      Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

    2. Re:Stop treating Mongo as a real DB by JustAnotherOldGuy · · Score: 1

      Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

      NO, you can't. mySQL requires, yes, requires you to assign a root password upon install.

      Face it, the MongoDB defaults are shit. Just admit it and stop blaming the poor fuckers who have to use it. Yes, they should have assigned a password, but the fact of the matter is that MongoDB should have made it impossible not to.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    3. Re:Stop treating Mongo as a real DB by CastrTroy · · Score: 1

      Not only does it require that you assign a root password, it also requires you to change the config to listen on an ip address other than localhost. You also have to create a new user, as the default root user can only connect from local host.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  9. Beginning to be a common headline by bano · · Score: 1

    "MongoDB Config Error Exposed..." is the new "Florida Man..."

  10. Re: So the new Ubuntu with its missing systemd.. by Anonymous Coward · · Score: 1

    It's sad to see that "most" things working is now acceptable for Linux. I miss the old days when the quality bar was set much higher.

  11. Re:132GB?? by omnichad · · Score: 3, Insightful

    For ~ 83 million registered voters, that's 1.57KB per voter. It's a lot, but it's not obscene. You can see a sample redacted db record on the article. They have voter ID laws, so they have a bit more info, including maternal/paternal parents.

    You can't even store 1 byte per voter on less than 50 floppy disks.

  12. Re:Awesome by __aaclcg7560 · · Score: 1

    I have been trying to get a job as a brick layer for the last 2 years. However, because my name is not Hernandez, I am summarily disqualified.

    That's funny. When I applied for unemployment benefits a few years ago, I discovered that "C RAMOS" was using my Social Security number. With my Social Security number, he got himself a job. Maybe your problem isn't your last name but your Social Security number (or lack thereof). Employers won't hire anyone off the street without a Social Security number.

  13. Wow, 132Gb by JustAnotherOldGuy · · Score: 1

    Oh my, 132Gb of tasty, tasty user data. It's like an all-you-can-eat hacker buffet.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Wow, 132Gb by St.Creed · · Score: 1

      That's true. But fortunately, the citizens live in a nice quiet country where there is no risk at all from having all your data publicized. Especially when you're working undercover, or get caught in the crossfire, there is no risk at all from having your adress and that of relatives exposed on the internet.

      --
      Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
  14. Now's the chance. by idbeholda · · Score: 1

    We'll finally be able to steal our jobs back from Mexico.

  15. Re: I'm sure the MongoDB devs must be proud by sumdumass · · Score: 1

    You should have used a US address on those credit card applications. The Mexican government would probably take notice of their registered voters living in the USA and build Trump's wall after all- whether he is elected or not.

  16. Re:Awesome by sumdumass · · Score: 1

    I think your problem goes deeper than your name. I would suggest looking into the use of USAian for starters. It probably branches out near there.

    Remember, the interview is there to either select or weed out the idiots.

  17. This could be on purpose by degantyll · · Score: 1

    Elections are harsh in Mexico, with the PRI (Institutional Revolutionary Party) doing whatever it takes to hold onto power. This might very well be on purpose to extract data on voters to fake votes and inflate ballot boxes. A good bribe to the sysadmin or even a harsh threat (political parties are known to have nexus with organized crime) could have been the reason for this.

  18. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

    Please explain why the MongoDB binary built for trusty (Ubuntu 14.04LTS) which you choose to use in your example should contain a systemd unit file when systemd wasn't introduced until wily (Ubuntu 15.10)?

  19. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 2

    Why do you anti systemd trolls keep lying when it's so easy to prove you wrong? All one have to do is look at the File List of the mongodb-server package in Ubuntu 16.04LTS: http://packages.ubuntu.com/xen... and what do we find there:

    /lib/systemd/system/mongodb.service

    Well I be damned, a systemd unit file, which you now have claimed in several articles does not exist even though it does. Interesting isn't it?

  20. Re: So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

    Remind me again how this is Red Hats fault when Red Hat does not provide any MongoDB packages at all? If you want to run MongoDB on Red Hat you have to download a rpm from MongoDB:s third party repository so any unit or script included there is all done by MongoDB and not Red Hat.

  21. Re:Awesome by Anonymous Coward · · Score: 1

    What is wrong with USAian? To claim that your are an American when you are really from the USA seems a little non-specific, especially when taken in the context of nationalism (which is what this is about). One might as well just say He is from the Western Hemisphere, or the planet Earth. America is not the USA. The USA is not America. America is two fucking continents and 37 fucking countries.

  22. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

    And those steps download the MongoDB binary built for precise which is even older (Ubuntu 12.04LTS). It's like you are not even trying here.

  23. Re: So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 1

    This has nothing to do with the version of Mongo but with the version of Ubuntu it was built for. Every post that have tried to "reproduce" this step have downloaded Mongo for either 12.04LTS och 14.04LTS, both which is non systemd Ubuntu releases so of course you will not find a systemd unit file in either of them. MongoDB where however included in the official Ubuntu repository as of 16.04LTS and lo and behold it does include a systemd unit file. So you have all been played to anti systemd trolls that know exactly why the unit file is missing from the packages that the point to but still use it as an argument even though the know that it's false. It's like trying to prove that there are no penguins in the North Pole by showing that there are no Penguins in some African country, it's disingenuous.