A bored security researcher by the name of Chris Vickery recently managed to infiltrate the databases of anti-virus maker Kromtech and make away with personal data on more than 13 million users.
In a post on Reddit, Vickery said he ran a query using Shodan.io to scan for incoming connections on port 27017. What he ultimately found was a database containing the names, e-mail addresses, usernames, password hashes, phone numbers, system information and IP addresses belonging to 13 million users.
Vickery said he also found software license and activation codes in the 21GB of wide-open data.
Fortunately, Vickery is a white hat and thus, immediately reached out to Kromtech to alert them of the issue.
In a statement on the matter, the company said it fixed the issue within hours of discovery. Analysis of its systems showed that only one person (Vickery) gained unauthorized access to the database. Kromtech said all payment information is processed by a third party meaning it was never at risk. The company publically thanked Vickery for his actions in disclosing the error.
It's worth pointing out that the "stolen" passwords were encrypted using MD5, a very weak form of encryption. As Forbes points out, there are a number of MD5 cracking tools capable of working out simple passwords within seconds. The company told the publication it was in the middle of upgrading to SHA-512.