MongoDB unprotected data swells to 685TB

There is a total of 685TB of private data from mongoDB instances sitting online, without any protection, researchers have uncovered.

Following the recent discovery by security researcher Chris Vickery, which saw the data of more than 13 million MacKeeper users exposed, another researcher ventured even deeper and found even more unprotected data.

A developer at online devices search engine Shodan, John Matherly, investigated the publicly accessible mongoDB databases in July and found some 600TB of data there. After the MacKeeper discovery he ventured back, and saw that the database grew by another 80TB and that no security measures are in place.

In his new investigation, which he describes on his blog, Matherly found that the number of publicly available, unauthenticated instances of MongoDB running on the internet had increased by 5,000. According to the blog post, these are hosted mostly on Amazon, Digital Ocean and Alibaba's cloud computing service Aliyun.

This is something of a surprise though, as new versions of NoSQL are secure by default – which means users are changing the default setup to something less secure. They aren’t enabling firewalls for protection, either.

"In the previous article it looked like the misconfiguration problem might solve itself due to the new defaults that MongoDB started shipping with; that doesn't appear to be the case based on the new information. It could be that users are upgrading their instances but using their existing, insecure configuration files," said Matherly.

“Finally, I can't stress enough that this problem is not unique to MongoDB: Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations,” he added.