The Romanian Hacker, GhostShell, who was in the news couple of months ago for doxing himself, has returned with yet another leak of 36 million user records obtained from MongoDB servers. Out of those 36 million records, 3.6 million also include passwords.

GhostShell announced the data leak on twitter and also posted a link to PasteBin URL where users can see the screenshots of the hacked servers and various links from where the data can be downloaded. The link also contained a statement regarding his reasons behind the hack.

The download package sits at 598 MB ZIP file, which when decompressed sizes up to 5.6 GB of data containing 110 folders named based on the hacked server’s IP. One will also find a screenshot as a proof of the hacker’s access to the server in the each folder along with entire database dump.

The data includes user information such as real names, usernames, email addresses, passwords, gender, geolocation info, social media information, details about the user’s smartphone model, browser information, API credentials, and even avatar images.

GhostShell revealed he used only a simple scanner like Shodan to discover these databases and named this hacking project of his as Project Vori Dazel which aims at highlighting the poor security practices by MongoDB. He also said that there was no username or password set for the root account with a large number of open ports.

All these hacks from GhostShell are part of his Light Hacktivism campaign which thrives on finding and exposing vulnerabilities and poor security practices in order to have them corrected.

Following is the complete statement from GhostShell:

For more than a few years now various people across the net have been signaling an on-going vulnerability
within the new MEAN Stack system of client/routing/server. The successor of the LAMP Stack, an already infamous
vulnerable platform, many thought this new one is more secure, yet it’s almost the exact same as its predecessor. MySQL typically replaced by NoSQL and the main database configuration managed by MongoDB.

This project will focus solely on this poorly configured MongoDB. I’d like to mention exactly how easy it is to
infiltrate within these types of networks but also how chilled sysadmins tend to be with their security measures.
Or should I say, lack thereof.

In a lot of instances the owners don’t bother checking for open ports on their newly configured servers, not only
that but they also don’t concern themselves with establishing a proper authentication process. (Just a simple
username/password)

Typical open ports:
22, 53, 80, 81, 110, 137, 143 443, 465, 993, 995, 3000, 8080, 27017, 3306, 6379, 8888, 28017, 64738, 25565

This can basically lead to anyone infiltrating the network and managing their internal data without any interference. You don’t even have to elevate your privileges, you just connect and have total access. You can create
new databases, delete existing ones, alter data, and so much more.

I am leaking more than 36 million accounts/records of internal data from these types of networks to raise awareness
about what happens when you decide not to even add a username/password as root or check for open ports, let alone encrypt the data. Each server folder has within it a plaintext file with the general info of the target, a screenshot
from within my MongoDB client with me having access and of course the leaked data in raw text. There are a few million accounts with passwords and the rest is private person data or other types.

This should serve as a cruel reminder of what happens when you don’t use proper security hygiene. And don’t worry if you thought this is the only vulnerability out there, guess again. The old ones remain as well.