Weekly Update 105

Presently sponsored by: Build scalable, reliable and secure cloud native applications with Tech Fabric

It’s another day-late weekly update courtesy of another hectic week. Scott and I were at NDC Sydney doing a bunch of talks and other events and I just simply didn’t get time to push this out until sitting at the airport waiting for the plan home.

This week’s update is a little different as we did it at SSW’s recording setup in front of a live audience. Better video, better audio and some questions asked in the process too. Other than that, it’s business as usual: more keyloggers on payment forms, more data breaches and a massive extended validation smack-down.

Lastly, just as I went to publish this post, I noticed SSW had taken down the original video. I’ve reached out to them to get a new link, but I managed to download and publish the audio earlier on so I’m publishing that for now.

Weekly Update 105
Weekly Update 105
Weekly Update 105


  1. Scott published his blog post about Magecart coming for you (then right after that the NewEgg breach was announced)
  2. SRI is a super useful little browser feature (it doesn’t negate the need to review the code you’re running, but it’s not meant to either)
  3. EV is a dead duck (seriously, read that post if you haven’t already, it’s just an absolutely pointless security mechanism as it stands today)
  4. Tech Fabric are sponsoring my blog this week (big thanks to those guys for their ongoing support!)

Oh – and PayPal still has no EV either 😜

MongoDB’s insecure database exposes 11 Million email records

A security researcher found an unsecured MongoDB’s customer database containing personal details of 11 million users. In the initial investigation, it appears that the database belongs to an email marketing firm based in California.

The breached database has a dataset of 43.5GB, which includes full names, email addresses (all of them were Yahoo emails), gender information, and physical addresses such as state, city, and ZIP code for 10,999,535 users.

Independent security researcher Bob Diachenko discovered an unprotected server by scanning the internet using publicly available tools. While doing the research he found out that the dataset was last modified by Shodan search engine on September 13, he could not found out for how long it was open for access.

The database had a table named “Warning” that contained a data with the following text:

“Your Database is downloaded and backed up on our secure servers. To recover your lost data: Send 0.4 BTC to our BitCoin Address and Contact us by email with your server IP Address and a Proof of Payment. Any eMail without your server IP Address and a Proof of Payment together will be ignored. You can apply for a backup summary within 12 hours. Then we will delete the backup. You are welcome!”

This is not the first time when MongoDB’s unprotected database was found, this month only Diachenko has spotted two instances.