These days it’s quite easy for an ordinary person to get the contact details of any business or organization for a certain fee or subscription. However, should seemingly non-sensitive data be so easily available?
123GB of personal data exposed
On November 5th, we discovered an open and unprotected MongoDB database, 123GB in size, containing 9,376,173 records of personal data:
- company name
- company description
- first/last name
- title / level / position
- company size
- company revenue
- phone number
- company domain
- email confidence score
- total contacts available in the company
- emails of every contact in the company
The publicly available database was not password protected and allowed anyone with an internet connection and a MongoDB ID to access the customers’ files.
While the data itself might be non-sensitive, the availability of it online without any authentication is not something you would expect. The lawfulness of web scraping as a method of gathering data is debated, but open access to private data is definitely illegal. For companies, the disclosure of customer data may lead to a fine of €20 million or 4% of annual turnover, whichever is greater, according to the recent GDPR regulation.
Who owns the data?
Upon closer examination of the exposed data, we can conclude that the database originates from a service named Adapt.io. According to their site, “Adapt provides access to millions of business contacts. Adapt’s free tools help you enrich business profiles on any website with email, phone and a number of contacts.”
It is not clear whether the database was intentionally disclosed by Adapt.io or if it was a result of a misconfiguration.
We have contacted the team to responsibly disclose the vulnerability but we have received no reaction or feedback from Adapt.io as to the potential source of the data breach. We will update this article if/when we hear back from them.
Have I Been Pwned?
Have you heard about HaveIBeenPwned? It’s a system which contains a large database of breached accounts. After the Adapt.io case, 9.3 Million email addresses were uploaded to Troy Hunt’s HaveIBeenPwned system, so those affected should receive a notification shortly.
See more details and screenshots from the database in our factsheet.
Don’t let cases like this happen to your company. Being forewarned is being forearmed. A proven approach to security is not only tackling data breaches, but also preventing them. €20 million is quite a large sum to lose for not encrypting your database. By launching a bug bounty program you will be able to get continuous information on the security of your company and allow independent security researchers to report the discovered breaches in a legal way. You can contact our team to learn how to secure your company data and digital assets.