Security is hard
While securing a MongoDB install is not the same as a relational install, it still has to be done properly. I suspect any database will be hacked by the its equivalent of SQL injection because of sloppy security.
A December breach dismissed as minor at the time has turned ugly for dating-for-narcissists site BeautifulPeople. Security researcher and architect of HaveIBeenPwned, Troy Hunt, has told Forbes 'net scum are now offering data from a million BP users for sale. The site, which once, inexplicably and unforgivably, judged that El …
If your database doesn't use a SQL, then a SQL-injection type attack isn't possible.
I can't speak for MongoDB, but the nosql database I use just has a simple API, and you can't subvert an API call for (say) adding a record into one which drops the database or returns all the records.
That being said, this isn't much help if security is badly managed, so you are right that security is indeed hard.
"BeautifulPeople told Forbes passwords and financial data were not at risk and claimed to have notified all affected users."
We should wait for an El Rel commentard to confirm that they have received a notification email and tell us how reassuring it is (or not). We certainly won't get this from an El Reg staffer.
We should wait for an El Rel commentard to confirm that they have received a notification email and tell us how reassuring it is (or not). We certainly won't get this from an El Reg staffer.
If you don't trust El Reg's people to do their job, what are you doing even visiting the site? You might as well go to Facebook for your news.
Research shows that substantial and increasing numbers of people are already doing exactly that.
Given the state of the historic media (so-called 'newspapers') in the UK at least, maybe it's not such a big surprise.
E.g.
http://stakeholders.ofcom.org.uk/binaries/research/tv-research/news/2015/News_consumption_in_the_UK_2015_executive_summary.pdf
(25 pages of 'executive summary'!)
I haven't had notification, so not sure if I've been affected.
That said, my details (username, email address, location, jobs) are already either out there (LinkedIn) or have been leaked that many times that if I was going to be pwned with just that info, it would've happened already.
Anon, because I don't want you any budding detectives taking this as a challenge.
This post has been deleted by its author
Dear BP Member,
On December 25th 2015, all BP members were mailed regarding a specific vulnerability with one of our test servers that was holding some user’s data. We were initially informed of this breach by two security researchers. The server was immediately shut down. At this time we did not believe the data was accessed by anyone other than the two security researches.
We were informed this morning, April 25th 2016, that the data on this server has been illegally distributed and could now be in the public domain.
Please be assured this information did NOT include any credit card data, and user passwords were not accessible. The vulnerability was specific to a test server and not part of our production database.
The privacy and security of our members data is of the utmost importance and all concerns we receive are dealt with immediately and comprehensively.
Out of a general matter of caution we strongly suggest you take the following action as recommended in our last email to you in December of 2015: Please change your BeautifulPeople password.
To do this; simply login to www.beautifulpeople.com and go to ‘Account’ -> ‘Settings’ -> ‘Login information’. From there you will be able to update your password.
Should you have used the same password on any other website or device that holds private information, we suggest that you change these passwords too.
Kind Regards,
The Team at BeautifulPeople
-------------------------------
Don't seem to have the one from the 25th. This was in my spam folder though (and all the spam was in my inbox, brilliant) so my have been trimmed already.