Unprotected MongoDB with 180M user data exposed

A publicly-available database was found to have up to 188 million personal data records, this was found by Bob Diachenko, security researcher and his team from Comparitech. The data consisted of people's names, email addresses, dates of birth, phone numbers, religion, and political affiliations.

The leaked information was sourced from Pipl.com and LexisNexis. Diachenko discovered the database shortly after it was indexed by search engines last month and traced it back to "a Github repo for a people search API called thedatarepo".

It was found that the information in the exposed database was scraped or purchased from Pipl.com and LexisNexis, thereby confirming that the presence of the data was not due to Pipl or LexusNexus being actually breached by hackers.

The information was exposed in a way that anyone with internet connection could have accessed these information which included, included first and last names, aliases and past names, email addresses, physical addresses, dates of birth, court and bankruptcy notes, phone numbers, social media profile links, political affiliations, race, religion, skills, gender, past and present employment details, as well as automobiles and property owned by individuals.

A source stated that the personal information contained "names, past names, addresses, gender, parental status, a short biography, family members, redacted emails, and info about the person’s neighbors including full names, dates of birth, reputation scores, and addresses".

Diachenko added that it will be difficult for people to check for their personal data records in the exposed database and get them removed as data brokers like Pipl obtain information from a variety of public and proprietary sources and don't claim ownership over such data.

Those whose personal details were exposed had to have their information removed by going to the original source, but that seems so difficult.