India based security news website The Hacker News just reported that personal data of almost half a million Delhi Citizens has been exposed online due to an unprotected server accessible without any password.
A security researcher Bob Diachenko has identified an unsecured server left unprotected on the Internet and the server can be accessed without any password. The server has details of nearly half a million Indian citizens stored in a MongoDB database instance.
The database has records of 458,388 individuals located in Delhi and the data includes Aadhaar numbers and voter ID numbers. The database is named GNCTD but it is near clear if it belongs to Government of National Capital Territory of Delhi (GNCTD).
The database also has email addresses with “transerve.com” domain for users who have roles assigned as “senior supervisor,” and “super admin” designations. When checked transerve.com belong to Transerve Technologies, a Goa-based company offering smart city and data collection solutions.
The company offers precision mapping and location intelligence tool to help businesses
Diachenko took time in analyzing the data and fond that the records include email addresses, hashed passwords,
Diachenko tried to contact Transerve but they didn’t respond to responsible disclosure email. Then he contacted Indian CERT that coordinated to take the exposed database offline.
It remains unknown how long this database was online and it it has been accessed by anyone.
Having an unprotected MongoDB database it a huge risk. It was the fault of MangoDB admin who didn’t follow security practices and exposed the data that could be accessed by anyone.
