Shodan Exposes Customer Database on Website

External Threat Management

Shodan Exposes Customer Database on Website

December 22, 2015

By Steve Ginty

As a pastime, IT helpdesk professional Chris Vickery likes to poke around Shodan, the infamous search engine site for IoT devices. “There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

By running a search on Shodan for instances of database servers listening for incoming connections on port 27101 (a port used by the popular database management system MongoDB) -- Vickery stumbled upon a database server housing over 13M customer records belonging to Kromtech, the company that makes MacKeeper. Not being a hacker himself, Vickery responsibly disclosed the exposure to the company.

Hackers use tools like Shodan, nmap, Fierce [0], etc., to search for easy targets, like servers with open ports that may store information that can be sold on the black market or used in an attack campaign.

An exposed development server lead to one of the most significant breaches in US history, when an Iranian APT group broke into the Las Vegas Sands and took down their IT systems.

Are you immune to this problem? Digital footprint security exists to allow security professionals to see and secure a wide range of Internet-facing assets. If you have strong controls in place in your datacenter to prevent mishaps like this one, you still may be vulnerable on infrastructure created via Shadow IT or acquired via merger and acquisition.

A vast majority of the time when we conduct an evaluation using our Digital Footprint technology, we find undocumented assets, connected to the Internet, of which security teams are previously unaware—it is a ubiquitous issue.

Security teams come to RiskIQ to help them prevent attacks that exploit vulnerable, look-a-like, or orphaned digital assets, including web, social, and mobile channels, that exist outside their security perimeter. As a great example, DocuSign uses RiskIQ to address security risks associated with mergers and acquisitions, as well as other digital footprint security threats.

Featured Posts

External Threat Management

The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...

#TwitterHack: How RiskIQ Data Exposed Hundreds of Domains Belonging to the Attackers

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill G...

Partner Deep-Dive: RiskIQ Security Intelligence Services for Splunk

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Datasheet

RiskIQ Illuminate® Datasheet

COVID-19 Solution Brief

5-Questions Security Intelligence Must Answer

5-Questions Security Intelligence Must Answer