On Mar 30, researchers at Kromtech Security identified a database open to the public containing full names, addresses, email addresses, encrypted passwords, wallet information, along with links to scanned passports, driver’s licenses, and other IDs for over 25,000 investors of the newly created Bezop. The information was found within a MongoDB database without any security.
John Mcafee, an adviser on the board for Bezop, described Bezop as “a distributed version of Amazon.com” in a recent Twitter post. It is that, but it’s also a cryptocurrency. Bezop is adding, and has in fact already added, it’s own cryptocurrency, which they call “Bezop tokens”, into the stream of transactions.
It does not seem to be a very good start for a company such as this to place personal information of anyone on the Internet and open to the public, especially it’s early investors. In fact, it’s a little difficult to grasp how it could happen, even if by mistake. Given the changes to MongoDB, it would have to have been deliberately configured to be public, a configuration which should not even be risked internally.
Making your investor’s personal information public is obviously not a good practice and a huge mistake to make. We hope that they ensure that their new product, which uses MongoDB as part of it’s design, and any future bounty programs using the same, will be configured far more securely than this MongoDB instance turned out to be. Ease of use should never be placed above security, even during the development cycle.
At the time of this report, Bezop has been notified and have made no comment, but they have secured the database.
In our previous research we have learned that it takes about 3 hours for a misconfigured MongoDB server to be compromised.
But really – who uses MongoDB anymore?!