Unprotected MongoDB databases expose details of millions of accounts on six social platforms in China

Databases are believed to be part of China's online surveillance programme, collecting profile-related data from six online services

Victor Gevers, a security researcher at non-profit GDI Foundation, claims to have found 18 MongoDB databases open for public access and leaking details associated with millions of accounts on several social platforms in China.

According to Gevers, these databases are likely part of a Chinese surveillance programme, which collects profile-related data from six social services. The data collected is then synchronised with unprotected MongoDBs of operators in 18 locations. Eventually, the information is received by police stations in various cities or provinces in China, according to specialist security site BleepingComputing

Gevers could not identify all the social platforms by their popular names, so he posted on Twitter a list of some identifiers that were found in the unprotected data collections.

After reading his tweet, some people identified one specific identifier "wxmsg" as the WeChat voice and text application.

According to Gevers, the information collected by the surveillance programme includes user names, photos, ID numbers, network info, GPS locations, file exchanges and public and private conversations.

"Around 364 million online profiles and their chats & file transfers get processed daily. Then these accounts get linked to a real ID/person. The data is then distributed over police stations per city/province to separate operators databases with the same surveillance network name," Gevers said in his tweet.

Gevers has no idea for how many days these 18 databases were accessible online or who their operators were. He reported the incident to Internet Service Provider ChinaNet Online, after which, 17 databases were taken offline, while one server was still open.

In a similar incident reported in January, another security researcher had found an unsecure 854GB MongoDB database online, containing private details of over 202 million Chinese job seekers.

The database contained information including candidates' skills, mobile number, email, marriage, children, height, weight, driver license, and literacy level, but didn't require password/login authentication to access.

The unprotected database was stored in a NoSQL cross-platform document-oriented database, which was hosted by an American server hosting company.

Although the database was taken offline later, the cyber-security researcher who discovered the database found that "MongoDB log showed at least a dozen IPs who might have accessed the data before it was taken offline."