Navionics, an electronic navigational chart maker owned by tech giant Garmin, has secured an exposed database that contained hundreds of thousands of customer records.
The MongoDB database wasn’t secured with a password, allowing anyone who knew where to look to access and download the data.
The company’s main products give boat, yacht and ship owners better access to real-time navigation charts, and boasts the “world’s largest cartography database.”
Bob Diachenko, Hacken.io’s newly appointed director of cyber risk research, said in a blog post that the 19 gigabyte database contained 261,259 unique records, including customer names and email addresses. The data also and information about their boat — such as latitude and longitude, boat speed and other navigational details — which Diachenko said likely updating in real-time.
After Diachenko contacted the company, Navionics shut down the server.
A Navionics spokesperson confirmed the breach. “Once notified, we immediately investigated and resolved the vulnerability,” the spokesperson said. “Following our investigation, we confirmed that none of the records or data were otherwise accessed or exfiltrated, and none of the data was lost.”
Navionics began notifying customers Monday.
It’s the latest in a string of MongoDB-based exposures. For years, the database was designed to sit behind firewalls and was not automatically password protected. Since more database have become connected directly to the internet, MongoDB refreshed its software to include a password by default. But many outdated installations are still unsecured.
Many exposed MongoDB databases have been accessed by hackers, had their contents downloaded and then wiped, and held to ransom.
MongoDB is one of the most widely used database providers in the world.