Go to top of page

Businesses: Check your database security

Priority Level: 
6 December 2017

Australian businesses and other organisations are being warned to check their databases are secure after reports that millions of people have had their personal details exposed due to an insecure database.

Researchers from the security firm Kromtech Security Center found a company based in Tel Aviv had an open MongoDB database online, potentially exposing personal data on about 31 million people across the globe.

Those people had all installed a keyboard app for their Android device, “Ai.type”.

MongoDB is a common platform used by many organisations to store data, and the security problems associated with open MongoDB installations have been highlighted in previous media coverage.

Earlier this year attackers reportedly gained access to tens of thousands of MongoDB databases and demanded ransoms to return stolen data.

Stay Smart Online advises organisations to:

  • continually review the security of their database installations and ensure best practice security measures are adopted
  • where later database version releases provide enhanced security, update to these releases as soon as possible
  • ensure all database users have strong passwords or passphrases, with two-factor authentication if possible.

Stay Smart Online advises individuals downloading apps to:

  • always review and manage “permissions” for each app you download
  • read the fine print about how an app will protect your personal data—some apps collect information such as your location, contacts, and other sensitive details like your login credentials.

The Australian Internet Security Initiative, which is run by CERT Australia, regularly reports on various types of open services—including open Australian MongoDB databases. You can find the daily chart of these open services here.

More information:

Stay Smart Online provides information on downloading apps, on our online apps page, and information on setting good passwords.

Read Stay Smart Online’s January 2017 story about a MongoDB attack.

MongoDB has provided detailed security tips on its website.