An unsecured database has allowed at least one hacker to steal data from the servers of Modern Business Solutions (MBS), a company that provides data storage and database hosting solutions.
The company has yet to provide an official statement to the press surrounding the incident, but they have secured the vulnerable database against external access.
Responsible for the data breach is a hacker that goes on Twitter as 0x2Taylor. The hacker published the stolen data on his Twitter account on three different occasions after file hosting services kept removing the data from their servers.
US cyber-security firm Risk Based Security (RSB) has analyzed the leaked data, and confirmed it came from a MongoDB database, and that it contained details on 58 million users.
The stolen data includes details such as full names, IP addresses, dates of birth, email addresses, vehicle data, and occupations.
In private conversations with 0x2Taylor, the hacker confirmed to RBS he downloaded the data from a MongoDB database left exposed online.
In subsequent conversations, the hacker revealed that a friend had discovered the unprotected MongoDB database using Shodan and foolishly shared the IP online without informing the company first.
RBS worked with a reporter from DataBreaches.net and notified the company about the breach. MBS took the necessary steps to secure the database but did not provide an official statement on the incident.
RBS researchers who analyzed the data spotted many database tables prefixed with “hw_”. MBS’s main product is a cloud-based data management platform called Hardwell Data. MBS did not confirm that the unsecured database stored data about Hardwell Data customers.
RBS also notes that just before MBS secured its leaky MongoDB database, 0x2Taylor shared a screenshot with its analysts revealing he found additional database tables containing data on around 258 million users.
This later development in the MBS data breach could not be verified by the RBS staff because MBS secured its database and 0x2Taylor did not release any of these later records.
“There have been 2,928 publicly disclosed data breaches so far this year, exposing more than 2.2 billion records. While 2.2 billion is a big number, RBS research indicates 55% of the breaches taking place in the first half of 2016 exposed 10,000 or less records,” the Risk Based Security team notes. “Unfortunately, some of the most notable ‘mega-breach’ exceptions have come from misconfigured databases.”
Softpedia has reached out to MBS and has offered to publish an official response if the company decides to issue a statement.
UPDATE: The Have I Been Pwned service has added a copy of the stolen MBS records to its service. Users can use the service to check if their data was exposed in the leak.
The stolen MBS files most likely belong to MBS customers. Affected users will find it very difficult to find the service that used MBS as a data management solution and change passwords or delete accounts.
As for 0x2Taylor, the hacker is now pondering if to release an additional 25.6 million user records, which he stole from the additional DB tables.