Slashdot Mirror

← Back to Stories (view on slashdot.org)

MongoDB Config Error Exposed 93M Mexican Voter Records (csoonline.com)

Posted by msmash on from the you-just-got-famous dept.

An anonymous reader cites an article on CSOOnline: A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015. Vickery, who works as a security researcher at Kromtech, discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success. The database contains all of the information that Mexican citizens need for their government-issued photo IDs that enable them to vote. Along with their municipality, and district information, the database records include the voter's name, address, voter ID number, date of birth, the names of their parents, occupation, and more. [...] Given that the database has been online since September 2015, it isn't clear how many people have accessed the records. Additionally, the actual owner of the account hosting the data remains unknown.

7 of 69 comments (clear)

  1. I'm sure the MongoDB devs must be proud by Anonymous Coward · · Score: 4, Insightful

    Look at all this fail they've enabled with their shitty defaults.

    Even mysql demands that I configure a root password when I install it.

  2. Obligatory by galabar · · Score: 2

    https://www.youtube.com/watch?...

  3. Stop treating Mongo as a real DB by Viol8 · · Score: 4, Insightful

    ... and start treating it as a key-value file system and it all makes sense. Sadly the mongo devs want us to think its a competitor to mySQL or even Oracle. Yeah, right.

    Amateur hour DB + amateur hour admins = trouble ahead.

    1. Re:Stop treating Mongo as a real DB by Anonymous Coward · · Score: 2, Insightful

      Stop blaming the technology for the idiots who use it. If you make a DB public what do you expect? You can do the exact same thing with any other DBMS.

  4. Re:132GB?? by omnichad · · Score: 3, Insightful

    For ~ 83 million registered voters, that's 1.57KB per voter. It's a lot, but it's not obscene. You can see a sample redacted db record on the article. They have voter ID laws, so they have a bit more info, including maternal/paternal parents.

    You can't even store 1 byte per voter on less than 50 floppy disks.

  5. Re:Turkey... by Cimexus · · Score: 2

    That not how I would characterise the difference between Australian TFNs and US SSNs (I have both).

    In Australia, the TFN is a very sensitive piece of information and the only people who would ever ask for it are those you would expect to ask for a tax number: the tax department, your employer, and your bank/financial institutions. There are strict guidelines governing its use and it is explicitly defined as identifying information: https://www.oaic.gov.au/indivi...

    On the other hand, the US SSN is used for freaking everything. I had to prove my SSN to sign up for cable TV! I'd say the Australian TFN is far more 'secret' than the US SSN...

  6. Re:So the new Ubuntu with its missing systemd... by F.Ultra · · Score: 2

    Why do you anti systemd trolls keep lying when it's so easy to prove you wrong? All one have to do is look at the File List of the mongodb-server package in Ubuntu 16.04LTS: http://packages.ubuntu.com/xen... and what do we find there:

    /lib/systemd/system/mongodb.service

    Well I be damned, a systemd unit file, which you now have claimed in several articles does not exist even though it does. Interesting isn't it?