Bob Diachenko reports:
On March 8th, 2019, I have identified a passwordless MongoDB database that was exposing sensitive information of an estimated 6,608 VivaGym job candidates and other business related data. VivaGym is a Spanish low-cost gym franchise operating in Spain and Portugal.
At the moment of the discovery, database already had a ‘WARN’ collection, this is evidence that it had been accessed by malicious script which targets unprotected databases and then removes its content and puts a Bitcoin ransom note inside the database.
The report lists the types of information involved as:
- Encrypted password
- DNI (Documento Nacional de Identidad)
- Last name / first name
- Username
- Login date and time
The exposed data also included business users’ information with their email addresses and passwords.
From Bob’s report, it sounds like the business quickly responded to notification and had their vendor lock things down. They also promptly notified under GDPR.
Read more on SecurityDiscovery.