Amex India accounts exposed by misconfigured MongoDB installation

Thousands of sensitive records were made publicly available

American Express account holders in India had their personal information exposed in yet another instance of misconfigured data storage, The Daily Swig can reveal.

More than 689,000 unencrypted records containing names, phone numbers, emails, and card type were found publicly available on a MongoDB database belonging to the Amex India service.

The database has now been secured, and it is believed that no malicious parties gained access to the data for the minimum five days it was exposed.

Security researcher Bob Diachenko, who discovered the issue on October 23, told The Daily Swig that MongoDB document databases can unintentionally be made public due to a misconfigured firewall.

“One never knows when transient firewall rules may inadvertently expose your development machines to the public,” Diachenko said in a blog post, which applauded Amex for its prompt efforts in taking down the affected server once notified.

“I tend to believe that the database was managed not by Amex but one their subcontractors responsible for SEO or lead generation,” he added.

Diachekno noted that a significant amount of data held on the database – a total of 2,332,115 records – was encrypted and therefore protected from viewing without a key. This information was said to have included names, addresses, phone numbers, and identity cards.

While Amex reiterated that its database had top-level encryption, Diachekno still found a significant chunk of data that was easy to view.

“Several collections contained readable links and access details to the services and accounts hosted at americanexpressindia.co.in domain, mobile numbers, names, etc,” said Diachenko.

There are multiple ways that a MongoDB can be misconfigured, and continuous breaches springing from the NOSQL database have proven that security by design is not a top priority for its developers.

Last year, a security researcher at Microsoft said that attacks on MongoDB were reaching 27,000 exposed databases in just half a day, much to do with the fact that authentication is not required by default in all models prior to 2.6.0.

Diachekno identified the unprotected MongoDB without difficulty via BinaryEdge.io – a dataset search engine similar to Shodan.

The Daily Swig has reached out to American Express for comment.

RELATED Major jobs website left sensitive client data exposed for months