• by Ray Schultz , September 18, 2018

A data leak exposing 10.9 million records, purportedly from discount marketing firm SaverSpy, has been traced to the MongoDB server.

Included were Yahoo Mail email addresses, postal addresses and gender data, according to security researcher Bob Diachenko.

The breach was identified on Monday by Diachenko.

Diachenko writes: “The data was available from an unprotected MongoDB instance set up on Grupo-SMS hosting infrastructure, and could be accessed by anyone from Sept 13th on (when Shodan last indexed it).”

He adds that the database “also included DNS details about the email status (sent successfully or not), that showed if the email went through, and server response.”

The origin of the data was not immediately clear. But “one hint was given in the description of the lists in which a particular email was part of - "Yahoo_090618_ SaverSpy," leadingDiachenko to conclude that it possibly was SaverSpy.

SaverSpy -- identified in at least one media report as a California-based email marketing firm -- offers a variety of printable discount coupons. Visitors to the site who want to print coupons are asked for their phone numbers.

Diachenko writes that he has received no response from either organization about the breach, but that the “database has been taken offline shortly after notification email sent and now unreachable.”

SaverSpy is powered by Coupons.com, he reports.  

Diachenko concludes that “MongoDB in question has already been tagged as 'Compromised' in Shodan and contained 'Warning' database with 'Readme' collection and ransom note demanding 0.4 BTC for recovering the data. However, at the time of discovery, all data were intact. I assume this is a result of failed script scenario used by crooks (and pure luck for the database owners).”