Unsecured Database of Third Party Vendor allows Access to Spanish Gym Franchises
Who: VIVA GYM
When: 30 Mar 2019
# of records involved: 6,608
What happened: A passwordless MongoDB database that was exposing sensitive information of VivaGym job candidates and other business related data.
How did it happen: At the moment of the discovery, the database already had a ‘WARN’ collection, this is evidence that it had been accessed by a malicious script which targets unprotected databases and then removes its content and puts a Bitcoin ransom note inside the database.
Outcome: The misconfigured MongoDB in question was part of VivaGym’s recruitment website infrastructure and managed by one of their technology partners. The danger of having exposed a MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers and it is a serious threat. The public configuration allows the possibility of cybercriminals to manage the entire system with full administrative privileges.