About 7,00,000 American Express customers in India had their personal details exposed online from an unprotected MongoDB server, which allowed anyone to access and edit the information.
The unprotected MongoDB server was discovered by Bob Diachenko, Director of Cyber Risk Research at a cyber-security firm Hacken, by using Shodan and BinaryEdge.
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine. pic.twitter.com/3kbXaS4cIz
— Bob Diachenko (@MayhemDayOne) October 25, 2018
According to Diachenko, most of the data on the server was encrypted and required a decryption key to view. But 689,272 records were stored in plaintext, which contained readable links, Amex India customers’ phone numbers, names, email addresses, and type of card, were accessible to anyone who came across the database.
The 2,332,115 encrypted records contained more personal information including customer names, addresses, Aadhar numbers, PAN card numbers, and phone numbers.
“Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation”, Diachenko said in a report by GBHackers.
Diachenko contacted American Express incident response team and they were quick to respond. The database was secured from public access. Also, the team confirmed there is no unauthorized access to the environment where the data resides.