Cyber Incident Victim: SaverSpy.com
Date:
Sep 2018
Location:
United States of America
Summary
An unsecured MongoDB server exposed nearly 11 million user records containing personal details such as names, email addresses, physical locations, and email delivery data, linked to an email marketing service associated with SaverSpy.com. The breach included Yahoo-specific email addresses and DNS information, with evidence suggesting the database had been previously compromised in a ransomware campaign where attackers wiped data and demanded Bitcoin payments. Security researchers identified the leak and notified the company, leading to the server being secured; the incident highlighted inadequate security measures despite prior compromise, as the database was restored without proper safeguards after initial attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 17, 2018, security researcher Bob Diachenko discovered an unsecured MongoDB server leaking approximately 11 million user records containing personal information from an email marketing service. The exposed database, totaling 43.5GB, contained full names, email addresses, gender information, and physical addresses including state, city, and ZIP code for 10,999,535 individuals. All exposed email addresses were Yahoo-based accounts, indicating the data represented a subset of a larger collection likely distributed across multiple servers. The records also included DNS details and email delivery status information about messages users had received. Shodan search engine logs showed the database had been publicly accessible since at least September 13, 2018, when it was last indexed and flagged as compromised. Attackers left a ransom note demanding payment of 0.4 Bitcoin (approximately $2,400 at the time) to a specific Bitcoin address (3GKioTFrCFYcTmZR4DXPGatTXXp6Ugcq79), which had received four payments totaling 1.6 Bitcoin.
Evidence suggested this database had previously been compromised in late June 2018 during a separate campaign using identical ransom messages and payment addresses, based on matching reports from Chinese MongoDB server owners. Those earlier incidents involved database wiping by attackers attempting to extort payments for nonexistent backups. The presence of the same ransom note indicated the email marketing database was likely breached, wiped, and restored months prior without implementing adequate security measures. Investigators identified SaverSpy.com, a daily deals website operating under Coupons.com's affiliate program, as the probable owner through distinctive "Content-SaverSpy-09092018" suffixes found in records. Both Diachenko and ZDNet notified SaverSpy.com operators about the exposure, after which the database was secured on September 18, 2018. No public statement or confirmation was received from the company regarding the incident or its impacts.