Veeam Didn't Use a Password, and Now Millions of Email Addresses Are Leaked

Veeam MongoDB Exposure

All organizations, from your bank to the hot dog stand near your office, need to handle their customers' data with care, and we've come to expect that some will do it better than others. We know that usually, the smaller the vendor, the less likely it is to invest in security. When it comes to companies that specialize in handling information, however, we usually expect things to be pretty well organized. Veeam, a backup and data management solutions provider showed recently, that this is not always the case.

Yet another MongoDB mishap

In fact, someone at Veeam made the rather simple (some would even say childish) mistake of forgetting to protect a MongoDB database with a password and then putting it on a server that was exposed to the Internet. If you know anything about MongoDB security, you'll see just how well deserved the criticism is.

We all make mistakes, but we try not to repeat them, and unfortunately, misconfiguring a MongoDB database is a mistake that's been repeated all too many times in the past. There's a search engine called Shodan, and if you know what to look for, using it to find databases full of sensitive data is as easy as performing a simple Google query. If there's no password, there's nothing to stop you from stealing the data. Raiding unsecured MongoDB databases is easier than you think, and crooks have been doing it for years. Often, after they steal the data, they even demand a ransom for releasing it. Fortunately, in the case of Veeam, this didn't happen.

It could have been worse for Veeam

Thankfully, an independent security researcher by the name of Bob Diachenko was the first to discover Veeam's exposed database. He had some struggles getting through to the data management company, but after he asked TechCrunch reporter Zack Whittaker for help, Veeam did the right thing and pulled the server down. In total, it remained online for just over a week.

It must also be said that the exposed information wasn't that sensitive. Although quite a lot of records did end up where they shouldn't have been, they contained nothing more than names, email addresses, and, in some cases, IPs of Veeam's current and prospective customers and partners. There were no passwords, credit card details or other, more compromising information going out, which is a good thing.

Veeam's management wasn't happy with the way the incident was reported

More good news came out yesterday, when Veeam's CEO, Peter McKay, issued a statement regarding the breach. When Diachenko and Whittaker first reported on it, they said that the 200GB database contained more than 440 million records, though they did point out that they have no idea how many are duplicates. As it turns out, Veeam analyzed its records, and Peter McKay was rather eager to announce that the number of unique email addresses is quite a bit lower – about 4.5 million. On the whole, McKay doesn't appear to be very happy about the way the issue was reported by the media, and he isn't afraid to show it.

Indeed, some news outlets got a bit too excited by the figures before the vendor had the time to come up with its own version of events, and we can imagine that the mood in Veeam's office is probably pretty gloomy at the moment. As we mentioned already, however, some pretty basic mistakes were made, and the fact that there's no real evidence of any serious consequences shouldn't serve as an excuse. In light of this, attacking the media seems like a somewhat strange move.

In any case, we're hoping that lessons will be learned.

September 14, 2018

Leave a Reply