Submitted via IRC for SoyCow4408
The makers of Sitter, a popular app for connecting babysitters with parents, have involuntarily exposed the personal details of over 93,000 users.
The exposure took place last week and was caused by a MongoDB database left exposed on the Internet with no credentials.
Independent security researcher Bob Diachenko discovered the database. He told Bleeping Computer that he spotted the database on August 14, when he immediately reported the issue to the Sitter app makers. The Sitter team secured the database on the same day of the report, Diachenko said.
The database was previously indexed on Shodan, a search engine for Internet-connected devices, a day earlier, on August 13.
Source: https://www.bleepingcomputer.com/news/security/mongodb-server-exposes-babysitting-apps-database/
(Score: 1, Insightful) by Anonymous Coward on Monday August 27 2018, @06:13AM (2 children)
Incompetent owner causes [...] !
FTFY
What fucking imbeciles. Everybody involved should receive a 5-year block for working with private data.
Remember: it's not just the admin's fault. There's also a project manager who demanded impossible schedules, and a business superior who a) went along with enforcing that schedule and b) failed to implement a safeguard against human error on the admin's part.
People are not perfect, and shit always happens. It is an abject failure to not plan for those facts.
(Score: 0) by Anonymous Coward on Monday August 27 2018, @06:31AM
"MongoDB only pawn in game of life."
And most likely there was a "back" door to the Archdiosescies of Pennsylvania, and Natalie Portman all dressed up much younger looking and trying to warn the Cardinal that his life was in danger.
Oh, if only life followed movie plots!
(Score: 0) by Anonymous Coward on Monday August 27 2018, @02:55PM
MongoDB has authentication disabled by default. It's makes setting it up & configuring it easier (or so the story goes). Of course most intelligent people think it's a horrible idea, but at least MongoDB is web scale, and has sharding [youtube.com].
(Score: 1, Offtopic) by Runaway1956 on Monday August 27 2018, @07:31AM (1 child)
I'm not even a stalking or predatory kind of guy - but it crosses my mind that it would be nice to have vital details of hordes of nubile young females. (That presumes that most babysitters are females of child bearing age. With 93000 to choose from there are probably a bunch of damn fine looking girls!) The company needs to be held liable. It took them only a few hours to fix the problem - why didn't they examine their code for problems BEFORE outsiders found it? Why didn't they offer bounties for people who could FIND those vulnerabilities?
Abortion is the number one killed of children in the United States.
(Score: 2) by c0lo on Monday August 27 2018, @10:10AM
You know very well the answers.
There's no penalty for the executives and managers for private data breaches (especially in development stages) but there's a large penalty if they don't hit the on-time/on-budget targets, quarter after quarter. Minute things that defocus them will soon become out-of-sight out-of-mind - if something nasty happens, a hypocritical apology and promises it won't happen again it's all that's necessary and it's cheap.
This is where things like GDPR help.
No, stop speaking of 'market forces' and competition. Those things died with the notion of customers.
Nowadays, consumers are subhuman things, with short attention span (demanding jobs take care of that), which only need to be locked in, subjected to planned obsolescence and milked as much as possible (specifically, young mothers in this case - grin) Especially when they'll drop our product anyway when the kids no longer need babysitting.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 3, Interesting) by bradley13 on Monday August 27 2018, @09:38AM (3 children)
"...have involuntarily exposed the personal details of over 93,000 users"
That's a strange word to use. Involuntarily, like it happened and they could do nothing about it. How about "stupidly", "irresponsibly", or maybe "carelessly"?
This kind of stuff is just beyond belief. Not only that the database should require credentials to log in; this is presumably the backend for their web service, so the server should refuse external database connections on principle. Security kindergarden here...
Everyone is somebody else's weirdo.
(Score: 2) by c0lo on Monday August 27 2018, @10:25AM
"Involuntarily" as in "I forgot about it". Like in "you don't accuse me I voluntarily forgot, do you?"
Because they need to show this as "minor mistake, could happen to anyone".
After all, what's the penalty for private data breaches? Especially when no CC or other financial info was exposed, and especially when our ToS (which consumers agreed with) allows us to sell this data to third parties anyway.
Does any consumer have a standing if they cannot show evidence of harm?
For this matter, do you have a standing? Cause without any skin in the game, you may be liable of slander calling them 'stupid' and 'irresponsible'.
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 2) by RS3 on Monday August 27 2018, @02:05PM
I think they're trying to befuddle by planting a word seed in people's minds.
The criminal prosecution will use: "negligently".
(Score: 0) by Anonymous Coward on Monday August 27 2018, @03:06PM
MongoDB should require credentials to log in, but ... from an article on medium.com:
(Score: 2) by requerdanos on Monday August 27 2018, @11:31AM
You turn it on, and it scales right up