
Verifications.io Leaks Personal Records of 2B Users - cybarrior
https://cybarrior.com/blog/2019/03/28/verifications-io-leaks/
======
jjjjjjjjjjjjjjj
Why are so many MongoDB databases left unsecured? Are they extraordinarily
hard to secure? I imagine the people who are working with these databases must
be aware of the numerous leaks, and pay close attention to securing the data,
no?

~~~
Twirrim
Historically, MongoDB was unauthenticated and insecure by default. Because
_that 's_ always a good idea.

You should never assume anyone is going to use your product in a secure
fashion, and make it so that they have to at least make _some_ effort towards
security.

Other than that, writing new features is fun, and you can get so many
developers (that don't think about security) for the same amount of money as a
good security professional, or a developer with even half an ounce of security
sense, commands.

Security is always inconvenient, takes extra effort, and is invisible. So many
companies and managers deprioritise it over more visible feature work,
forgetting that security in and of itself _IS_ a feature.

~~~
jdsully
A lot of databases have this weird idea that there is some secure "internal
network" and its OK to just pretend its 1995 in there. Antirez actively blogs
about how "insecure" Redis is but its OK because just don't put it on the
internet [1]. Others just avoid the subject completely. Never mind that
internal networks get infiltrated all the time.

Security in depth is just not a thing a lot of people think about right now.

[1] [http://antirez.com/news/96](http://antirez.com/news/96)

~~~
jchw
Okay, let's be fair, and I'm sure you realize this: having network ACLs that
prevent unauthorized access is absolutely a good idea. "Internal networks" are
not dead - they've become more advanced with "VPC" services and software
defined networking.

Tunnelling Redis protocol over mutual TLS or something like that sounds like a
good idea, but I don't think I've seen anyone doing that :(

Frankly, I would love it if there were a simple, open standard for
authentication so every database didn't have to redo it. Maybe mutual TLS is
that answer, though traditionally getting the infrastructure for that correct
has been difficult.

~~~
viraptor
> I would love it if there were a simple, open standard for authentication so
> every database didn't have to redo it

There is:
[https://en.wikipedia.org/wiki/Simple_Authentication_and_Secu...](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer)

~~~
jchw
I've only ever seen it used with IRC but this most certainly is the closest
thing. Guess I hope for more adoption in the future.

~~~
X-Istence
SASL is also used with Dovecot/Postfix for example.

------
kitotik
“However, after further investigation and examination, DynaRisk updated its
report to state that the combined number of emails leaked is 982,864,972 to be
exact, and not 2 billion as previously reported.”

The headline seems wrong.

------
jjjjjjjjjjjjjjj
Source [https://securitydiscovery.com/800-million-emails-leaked-
onli...](https://securitydiscovery.com/800-million-emails-leaked-online-by-
email-verification-service/)

------
chrisbolt
[https://news.ycombinator.com/item?id=19333600](https://news.ycombinator.com/item?id=19333600)

------
skilled
How exactly did this get pushed to the front page?

This adds _nothing_ new to the conversation and consists mostly of quotes from
another article.

I was expecting an actual follow-up, and this is not it.

~~~
pmoriarty
From the HN Guidelines:

 _" Please don't complain that a submission is inappropriate. If a story is
spam or off-topic, flag it. Don't feed egregious comments by replying; flag
them instead. If you flag something, please don't also comment that you did."_

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
skilled
Oopsie! Thanks for the heads-up.

