Beautiful People Love MongoDB (But Not Brits)

BeautifulPeople.com Leaks Very Private Data of 1.1 Million ‘Elite’ Daters — And It’s All For Sale by Thomas Fox-Brewster.

From the post:

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web.

News of the breach was passed to FORBES initially in December 2015 by researcher Chris Vickery. At the time, BeautifulPeople.com said the compromised data came from a test server, which was quickly locked up. It did not appear to be a serious incident.

But the information – which now appears to be real user data despite being hosted on a non-production server – was taken by one or more less-than-scrupulous individuals before the lockdown, making it out into the dirty world of data trading this year.

“We’re looking at in excess of 100 individual data attributes per person,” Hunt told FORBES. “Everything you’d expect from a site of this nature is in there.”

Vickery said the database he’d obtained contained 15 million messages between users. One exchange shown to FORBES involved users asking for prurient pictures of one another. A separate message read: “I didn’t even think to look for a better photo because the brits, on average, are some ugly motherf***ers anyway.” This would appear to chime with BeautifulPeople.com’s own “research”.

Don’t be in the act of drinking any hot or cold beverages when you visit “BeautifulPeople.com’s own “research”.” You may hurt yourself or ruin a keyboard. Fair warning.

The relative inaccessibility of these hacked data sets prevents leaks from acting as incentives for online services to improve their data security.

Imagine Forbes running data market pricing for “beautiful people,” living in Stockholm, for example. A very large number of people would imagine themselves to be in that set, which would set the price of that sub-set accordingly.

Moreover, it would be harder for BeautifulPeople.com to recruit new members, who are aware of the company’s lack security practices.

Thomas says that the leak was from a non-production MongoDB server.

That’s one of those databases that installs with no password for root and no obvious (in the manual) way to set it. I say “not obvious,” take a look at page 396 of the MongoDB Reference Manual, Release 3.2.5, April 25, 2016, where you will find:

The localhost exception allows you to enable access control and then create the first user in the system. With the localhost exception, after you enable access control, connect to the localhost interface and create the first user in the admin database. The first user must have privileges to create other users, such as a user with the userAdmin (page 488) or userAdminAnyDatabase (page 493) role.

Changed in version 3.0: The localhost exception changed so that these connections only have access to create the first user on the admin database. In previous versions, connections that gained access using the localhost exception had unrestricted access to the MongoDB instance.

The localhost exception applies only when there are no users created in the MongoDB instance.

First mention of password in the manual.

Should you encounter a MongoDB instance in the wild, 3.0 or earlier….

Comments are closed.