Unsecured Database of Third Party Vendor allows Access to Spanish Gym Franchises

2019, Breaches, March


When: 30 Mar 2019

# of records involved: 6,608

What happened: A passwordless MongoDB database that was exposing sensitive information of VivaGym job candidates and other business related data.

How did it happen: At the moment of the discovery, the ​database already had a ‘WARN’ collection, this is evidence that it had been accessed by a malicious script which targets unprotected databases and then removes its content and puts a Bitcoin ransom note inside the database.

Outcome: The misconfigured MongoDB in question was part of VivaGym’s recruitment website infrastructure and managed by one of their technology partners. The danger of having exposed a MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers and it is a serious threat. The public configuration allows the possibility of cybercriminals to manage the entire system with full administrative privileges.