Shodan Exposes Customer Database on Website

External Threat Management

Shodan Exposes Customer Database on Website

December 22, 2015

By Steve Ginty

As a pastime, IT helpdesk professional Chris Vickery likes to poke around Shodan, the infamous search engine site for IoT devices. “There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”

By running a search on Shodan for instances of database servers listening for incoming connections on port 27101 (a port used by the popular database management system MongoDB) -- Vickery stumbled upon a database server housing over 13M customer records belonging to Kromtech, the company that makes MacKeeper. Not being a hacker himself, Vickery responsibly disclosed the exposure to the company.

Hackers use tools like Shodan, nmap, Fierce [0], etc., to search for easy targets, like servers with open ports that may store information that can be sold on the black market or used in an attack campaign.

An exposed development server lead to one of the most significant breaches in US history, when an Iranian APT group broke into the Las Vegas Sands and took down their IT systems.

Are you immune to this problem? Digital footprint security exists to allow security professionals to see and secure a wide range of Internet-facing assets. If you have strong controls in place in your datacenter to prevent mishaps like this one, you still may be vulnerable on infrastructure created via Shadow IT or acquired via merger and acquisition.

A vast majority of the time when we conduct an evaluation using our Digital Footprint technology, we find undocumented assets, connected to the Internet, of which security teams are previously unaware—it is a ubiquitous issue.

Security teams come to RiskIQ to help them prevent attacks that exploit vulnerable, look-a-like, or orphaned digital assets, including web, social, and mobile channels, that exist outside their security perimeter. As a great example, DocuSign uses RiskIQ to address security risks associated with mergers and acquisitions, as well as other digital footprint security threats.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event