A database belonging to American Express India was accessible to anyone for more than five days during October.
The unprotected database, which was discovered by Hacken cyber consultancy team’s director of Cyber Risk Research, Bob Diachenko on October 25, contained Amex customer names, phone numbers, addresses, PAN numbers, and Aadhaar IDs.
Diachenko notes the database was mostly encrypted, but several collections hosted on ‘american expressindia.coin’ also contained readable data. The largest of those had 689,272 records available in plain text.
The researcher says Amex’s MongoDB database was available on Binaryedge – a popular list of exposed databases – since at least October 20. This means Amex’s database was already out in the open for five days when Diachenko found it.
Some files hosted on Amex India’s website (links to which were also included into the exposed database) contained information of hundereds of thousands of customers in plain text.
Diachenko said that he found an additional 2.3 million records that were encrypted. He also found that the database was managed by a third-party company instead of Amex’s own team.
Amex cut public access to the database soon as Diachenko reached out to them. The company further clarified that because of encryption, there was no authorized access and no customer data was affected.
We have reached out to Amex for additional information regarding this incident and will update the story accordingly.
MongoDB exposes are not rare. Last year, data of 31 million ai.key virtual keyboard users was leaked due to a misconfigured database. MongoDB 3.6 comes with a feature which requires the admin to explicitly connect the database to the internet. While we are not sure if Amex was using this version, it clearly needs to pay more attention to their security practices.