Leaving a database exposed online without a password can be extremely damaging for both businesses and their customers. Despite this risk, a new report from NordPass has identified a total of 9,517 unsecured databases containing more than 10bn entries filled with data such as emails, passwords and phone numbers.
To conduct its research, the company behind the new password manager partnered with a white hat hacker who scanned Elasticsearch and MongoDB libraries between June of last year and this year looking for exposed, unprotected databases.
The exposed databases were found across 20 different countries with China, the US and India at the top of the list. China had nearly 4,000 exposed databases with 2.6bn entries, the US had 2,703 with 2.4bn entries and India had just 520 with 4.8m entries.
While some of this data may be useless and only used for internal testing by companies, much of it could be quite damaging if exposed. Also cybercriminals have launched a new series of so called meow attacks that wipe the data stored on unsecured databases completely without any explanation or even a ransom note.
Finding exposed databases online
Although it may sound complicated at first, finding exposed databases online is actually quite easy by using search engines like Censys or Shodan. With them, anyone can scan the web and view open databases in just a few clicks.
Security expert at NordPass, Chad Hammond explained in a press release how businesses can better secure their customer data online, saying:
“Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data. Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management. Data can be exposed to risks both in transit and at rest and therefore requires protection in both states.”
Exposed databases have led to customer data ending up online in the past but the recent wave of meow attacks may end up being the wake up call businesses who that have yet to secure their databases need.