On September 16, researchers discovered an unprotected MongoDB instance owned by infomag.com.tr – an independently owned and operated licensee of Harvard Business Publishing (HBP), a wholly-owned subsidiary of Harvard University.
According to its website, Infomag publishes Bloomberg Businessweek and Harvard Business Review in Turkish.
Hosted in Turkey, the database was 3.9GB-strong and had over 19.5 million records, although there were some duplicates and some data wasn’t sensitive.
In total, the database leaked over 152,000 pieces of information pertaining to customers, such as emails, names, links to LinkedIn, Twitter, and Facebook profiles, and hashed passwords. Some were protected by a fragile encryption algorithm like MD5, but others were encrypted using bcrypt, considered a strong hash.
The instance also contained 15 employee emails, names, and passwords protected by a weak SHA1-128bit hash. Some credential pairs belonged to Harvard Business Review English (@hbr.org) users.
The oldest entry goes as far back as 2017, and it is unclear how long this instance had been open prior to the Cybernews discovery.
The ransomware
On September 19, Cybernews researchers went back to check whether the database was still open and learned that it had been hit by a ransomware attack, meaning that criminals found the dataset before its owner had a chance to close it.
Crooks left a note, asking for a ransom in Bitcoin and threatening to contact authorities that might fine the company for potential GDPR violations.
