Abbyy leaked 203,000 sensitive customer documents in server lapse

Abbyy, a maker of optical character recognition software, has exposed a trove of sensitive customer documents after a database server was left online without a password.

The exposed server was found by former Kromtech security researcher Bob Diachenko, who now works independently. In a blog post shared prior to publication, he said one of the company’s MongoDB servers was mistakenly configured for public access. He told TechCrunch that the server contained 203,896 scanned files, including contracts, non-disclosure agreements, memos and other highly sensitive documents dating back to 2012.

The data also included corporate usernames and scrambled passwords.

The Moscow-based company specializes in document capture products and services, including converting physical documents to searchable and indexable digital content across a range of languages.

The company claims to serve thousands of organizations and over 50 million users.

After a private disclosure earlier this month, the server was pulled offline. Abbyy confirmed the exposure in an email Monday but did not say why the storage server was left open for anyone to access.

“The incident in question concerns one rather than several customers and files bearing commercial information,” said spokesperson Anna Ivanova-Galitsina. “The customer has been duly notified and we are cooperating on corrective measures.”

“As soon as [Diachenko] notified us we locked external access to the documents. We have made all the notifications that are legally required, have conducted a full corrective security review of our infrastructure, processes and procedures,” the spokesperson said. The company said that the exposure was “a one-off incident and doesn’t compromise any other services, products or clients of the company,” but noted that a “further analysis is ongoing.”

When pressed, the company would not confirm the name of the customer affected. Abbyy has dozens of major global customers, including Volkswagen, PepsiCo, McDonald’s, and the Australian Taxation Office.

Abbyy did not say if anyone else accessed the database.

It’s the latest in a string of exposed MongoDB databases found by Diachenko in recent months, including a popular virtual keyboard app with 31 million users and more recently an app for connecting babysitters.

MongoDB is widely used across the enterprise for scalability and versatility, but many older versions of the database software still in use today operate without a password by default. Last year, hackers took advantage of thousands of exposes servers by downloading and deleting their contents — effectively holding them for ransom.