Cyber Incident Victim: Librería Porrúa
Date:
Jul 2019
Location:
Mexico
Summary
A Mexican bookseller experienced a cybersecurity breach when hackers accessed its unprotected MongoDB database, replacing approximately 1.2 million customer records with a ransom demand. The exposed data included personal information such as names, email addresses, phone numbers, dates of birth, payment card details (hashed), invoices, and discount codes. Discovered shortly after being indexed by a search engine, the database was fully compromised, allowing attackers with administrative privileges to wipe its contents and leave a note demanding payment in Bitcoin for data restoration. The incident highlighted risks associated with publicly accessible databases lacking authentication safeguards.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On July 14, 2019, a MongoDB database belonging to Mexican bookseller Librería Porrúa was indexed by the Shodan search engine, exposing it to public internet access without any authentication controls. Security researcher Bob Diachenko discovered the unsecured database on July 15, 2019, containing approximately 1.2 million customer records. The exposed data included invoices with purchase details, shopping cart IDs, hashed payment card information, activation codes, tokens, full names, email addresses, phone numbers, dates of birth, and discount codes. Attackers identified the unprotected database and gained full administrative privileges, enabling them to remotely manage its contents without restriction. By July 18, 2019, three days after public discovery, the hackers had deleted all 1.2 million records and replaced the database contents with a ransom note demanding 0.05 Bitcoin (approximately $500 at the time) in exchange for restoring the data. The attackers claimed to possess a backup of the stolen information on their servers, though the article notes historical instances where such claims were fraudulent. The database remained completely unprotected throughout the incident, lacking even basic password authentication despite being internet-facing.
The compromise exposed highly sensitive personal and financial information of Librería Porrúa customers, creating risks of identity theft, financial fraud, and phishing attacks. While payment card data was hashed, other exposed elements like names, contact details, and purchase histories could facilitate targeted social engineering campaigns. The attackers leveraged a well-documented pattern of MongoDB exploitation dating back to 2016, where threat actors systematically target internet-exposed databases without access controls. No information was provided regarding whether Librería Porrúa paid the ransom or recovered any data, nor were any containment actions by the company described in the source material. The incident highlighted persistent security failures in MongoDB deployments, as tens of thousands of similar databases had been compromised under identical circumstances between 2016-2019 due to inadequate authentication measures. The public exposure lasted at minimum from July 14 until July 18, 2019, though the exact initial compromise timeline remains unspecified beyond the Shodan indexing date.