ABBYY leaks over 203K client documents on MongoDB server

Share this…

Sensitive information has been compromised

ABBYY, a company that develops optical character recognition (OCR) and text scanning software, left exposed a server that contains 142GB of scanned documents of a client, so that anyone with Internet access can access them, without need to use a password.

The MongoDB server hosted on Amazon Web Services accidentally configured for public access, contained about 203 896 scanned documents including contracts, non-disclosure agreements, memos, correspondence and other types of confidential documentation. Cyber security organization specialists report that some of the exposed files date back to 2012.

The first time ABBYY developers learned of the problem was when they were contacted by cyber security organization researcher Bob Diachenko. As the researcher explained in a LinkedIn publication, he used the Shodan API, a search engine that tracks devices connected to the Internet, to discover the installation of the non-secured MongoDB, at the time of the discovery, Diachenko alerted to ABBYY about the security problem.

A spokesman for ABBYY wanted to describe the security breach as “an isolated incident” that “does not compromise any other service, product or customer of the company”. The name of the affected company has not been disclosed, but a glimpse over the ABBYY website reveals that its clients include reputable multinational organizations.

ABBYY secured the compromised data two days after they were notified by the researcher. Although this is good news, it is not known how long the massive data leak was inadvertently missed. Unfortunately, many earlier versions of the database server are still in use, and work by default without a password.

Therefore, it is no surprise for those who have long worked in the cyber security organization industry the appearing of reports from organizations that leaked data through MongoDB instances without authentication.

For example, Diachenko discovered in past days an unsafe implementation of MongoDB used by a babysitting app that revealed delicate details of 93K accounts including addresses, number of children, phone numbers, user contacts, chats in the app, and encrypted passwords.

Previously, victims of hacking events associated with MongoDB have included sites such as Verizon, the BeautifulPeople dating website and 31 million users of a keyboard app for Android.