MongoDB Database Exposed 188 Million Records

Image containing the words “data breach”

An exposed MongoDB database was found on June 18, 2019. It contained 188 million records with personal information, just laying out in the open.

188M

Most of the records looked like it came from websites like Pipl.com and LexisNexis. Pipl is a people search engine while LexisNexis is a legal search engine. Roughly 800,000 records were from LexisNexis. Personal data from Pipl included:

  • First and last name
  • Aliases and past name
  • Email address
  • Physical address
  • Date of birth
  • Court and bankruptcy notes
  • Phone number
  • Social media profile links
  • Political affiliations
  • Race
  • Religion
  • Skills
  • Gender
  • Employers past and present
  • Automobiles and property
mongodb database records
Some of the database records. Credit: Comparitech

Comparitech, working with security researcher Bob Diachenko, notified the owener of the database, who shut down access to it on July 3, 2019. But by then it had been indexed by search engines. It doesn’t sound like either website suffered a data breach. Instead, the creators of a peoples search API called thedatarepo scraped or bought the data from Pipl and LexisNexis.

Further Reading:

[British Airways Set For £183 Million GDPR Data Breach Fine]

[Marriott Set For Major GDPR Fine]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.