MongoDB admins accidentally expose 600TB of data

Systems administrators of the MongoDB database have inadvertently exposed almost 600 terabyes of data by running unpatched and old versions of the open source software, according to a security researcher.

Shodan hacker John Matherly said nearly 30,000 databases had been exposed because admins were using out of date versions of the NoSQL database which failed to bind to localhost.

"There's a total of 595.2TB of data exposed on the internet via publicly accessible MongoDB instances that don't have any form of authentication," he said.

"It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which the platform listens for connections on all interfaces] by default, which looks like a maintenance release done on April 28, 2015."

The security issue had been brought to light over three years ago as a critical vulnerability, but it took more than two years to change the settings, Matherly said.

Affected older versions of MongoDB lack a 'bind_ip 127.0.0.1' option set in the mongodb.conf, leaving their server vulnerable if the user is unaware of the setting, the 2012 security advisory stated.

"The default should be to lockdown as much as possible and only expose if the user requests it."

Matherly said it appeared that versions older than 2.6 were affected - a significant problem given most users are on version 2.4.9 and 2.4.10, followed by 2.6.7, he wrote.

According to Matherly, most of the exposed data runs on cloud instances such as Amazon, Linode, Digital Ocean and internet service and hosting provider OVH.

"My guess is that cloud images don't get updated as often, which translates into people deploying old and insecure versions of software," Matherly said.

He advised those on the affected versions to upgrade as soon as possible.