MongoDB Server Exposes Babysitting App's Database

The makers of Sitter, a popular app for connecting babysitters with parents, have involuntarily exposed the personal details of over 93,000 users.

The exposure took place last week and was caused by a MongoDB database left exposed on the Internet with no credentials.

Independent security researcher Bob Diachenko discovered the database. He told Bleeping Computer that he spotted the database on August 14, when he immediately reported the issue to the Sitter app makers. The Sitter team secured the database on the same day of the report, Diachenko said.

The database was previously indexed on Shodan, a search engine for Internet-connected devices, a day earlier, on August 13.

Sensitive user details exposed on misconfigured server

According to two screenshots of the exposed server the researcher shared with Bleeping Computer, the database contained various type of data, including some sensitive user information.

This included encrypted passwords for around 93,000 Sitter accounts, the number of children per family, user home addresses, phone numbers, users' address book contacts, and partial payment card numbers for a user's transactions.

Other info included past in-app chats, but also details about sitting sessions, including past locations and times. Over 2GB of data were exposed online via the leaky MongoDB server.

Sitter spokespersons did not respond to a request for comment for this article.

Diachenko says the Sitter team told him they notified the affected users whose data they exposed.

"It is still unknown if there were any other connections to the database and for how long it has been exposed until Shodan indexed it," Diachenko wrote in a LinkedIn post.