MDB - embarrassing news

“Security researchers have found yet another unsecured database that left personal data exposed to the internet. In this latest case, a MongoDB database containing about 188 million records, mostly culled from websites and search engines, was exposed, researchers say.” https://www.bankinfosecurity.com/mongodb-database-exposed-18…

For a company in the data business, this does not look good. I’m still in the stock, but of course will watch it.

2 Likes

Whom it is embarrassing for is the owner of the database, not Mongo. Short of providing encryption tools, which Mongo does, the DB manufacturer can’t really provide default security. That has to come from whomever is hosting the DB.

I get page not found from your link, but from your quote it sounds like it may have been data culled by potential spammers … in which case you can understand why they weren’t very concerned with security!

27 Likes

Sorry about that link Tamhas and thanks for the heads up. Somehow the link was altered when I posted. Should be: https://www.bankinfosecurity.com/mongodb-database-exposed-18…

Doesn’t look like a spam site.

These incidents have been commented on by MDB in the past. Specifically for the one you posted…

"Ben Wolfson, a MongoDB spokesperson, states that a data exposure such as the latest incident is highly unlikely because MongoDB’s default security configuration restricts network access from the internet. Instead, the issue lies with its “free to download and use” community and not the MongoDB database, he says.

"To be clear - this instance does not involve a MongoDB customer but a user of the free to download and free to use community version," Wolfson says. “To be exposed in this manner, an administrator would have to change the default security configuration to allow unrestricted internet traffic in and out.”

How is this “embarrassing” to MDB.

🆁🅶🅱
I can see by your coat, my friend you’re from the other side…

22 Likes

It does not appear to be a Mongo issue:

But Ben Wolfson, a MongoDB spokesperson, tells ISMG that a data exposure such as the latest incident is highly unlikely because MongoDB’s default security configuration restricts network access from the internet. Instead, the issue lies with its “free to download and use” community and not the MongoDB database, he says.

“To be clear - this instance does not involve a MongoDB customer but a user of the free to download and free to use community version,” Wolfson says. “To be exposed in this manner, an administrator would have to change the default security configuration to allow unrestricted internet traffic in and out.”

While MongoDB provides education and guidance to ensure security configuration best practices are easily set up and deployed, Wolfson says that these best practices are sometimes ignored, which can result in a misconfigured database being exposed.

Matt

5 Likes

It might be a Mongo issue, but perhaps not one too hard correct. Here are other snippets from the article I linked:

“This is the second MongoDB data leak reported in the last three months.”
“One of the primary reasons MongoDB databases are left exposed is that MongoDB, by default, has no password mechanism in place, according to security researchers.”

Anyway, thanks for the added clarification.

3 Likes

By the way, regardless of who is responsible for breach, this news does not seem to be what caused MDB to drop today. This is from my Schwab service:

“MongoDB Shareholders Vote in Favor of Investor Review of Executive Pay
2:19 PM ET, 07/12/2019 - MT Newswires
02:19 PM EDT, 07/12/2019 (MT Newswires) – MongoDB (MDB) dropped more than 2% on Friday after the data-base company said shareholders at its annual meeting on Thursday overwhelmingly voted to review the compensation paid each year to its named executive officers on a non-binding advisory basis.”

1 Like

this reminds me of AYX 1.5year ago when a security breach was attributed to the user and not the product itself.
The stock went down and then it has been on a continual ascent…

maybe MDB is going to follow the same fate.

tj

1 Like

MongoDB Shareholders Vote in Favor of Investor Review of Executive Pay

Why would that cause a drop in share price? Don’t understand. (Could be I tend to be one who thinks executive pay in this country is out of control in the first place…)

9 Likes

I had the same question bjur and that’s why I went on a news search. The two pieces of news I posted here were all I could find that I thought might be responsible. The SaaS stocks are generally down today but MDB really got hit.

It might be a Mongo issue

But it’s not. Mondo already offers layered security. Databases hosted on MongoDB Atlas are secure by default. Spend time at the Mongo web site and don’t rely on unnamed “security researchers”. Historically these intrusions arose from older free versions, and where basic administrator passwords were never set. Mongo can’t prevent freeloaders from doing stupid.

That said… 100% protection assurance is not possible for web-connected devices.

That’s all from me, as this is getting close to OT. and I don’t want to incur the wrath of our good uncle.

🆁🅶🅱
I can see by your coat, my friend, you’re from the other side…

8 Likes

How is it that a news item about a stock that was down pretty sharply at the time I posted it and that a lot of us follow OT ? Guess I don’t get it.

1 Like

Doesn’t look like a spam site.

The internet is full of sites which harvest information in various ways and from various sources and then make that information available for use. I see no indication that the origin sites for the data were breached or that the origin sites were even aware that the data was there. This suggests that the harvesting was unofficial and the usage questionable.

But, regardless, that only goes to the possible lack of motivation for applying appropriate security. That is not Mongo’s responsibility. They are responsible for providing appropriate security tools for the DB itself. They are NOT responsible for providing security that allows someone to get at the database from the internet.

This is not Mongo’s fault.

5 Likes

…but MDB really got hit.

Mongo was down just over 3% today, not my definition of “really got hit”.

Over 10% would qualify, anything less is just another day…yawn…

Full disclosure, I added to my MDB position today, more because it’s down 17% from it’s high, than because of today’s action. But really because I feel it’s going to be a LOT bigger and worth a LOT more, years from now, than it is now.

Long MDB

28 Likes

This is the time to be adding MDB shares, not panicking or referencing news articles irrelevant to the price drop.

Stocks do not just go straight up in some linear fashion.

14 Likes

Already vetted, not news, seen this before.

No need to fret.

AJ

3 Likes