Personal Data Protection Authority (KVKKAccording to the statement made by MongoDB A data leak occurred as a result of the attack on the limited company. It was shared that tens of thousands of Turkish users may have been affected by this leak. Here are the details…
Data breach in MongoDB!
For those who don’t know MongoDBis an open source NoSQL database application. This database application, used by developers and large organizations, worried users with a leak that occurred in the past hours.
MongoDB According to the statement made by (the company), this leak occurred due to unauthorized access to the account of a company employee. According to what was transferred, this malicious individual who gained access downloaded a copy of the data.
Spider-Man developer was cyber-attacked! Screenshot from the new game leaked
Insomniac Games, one of the most well-known companies in the gaming world, fell victim to a hacking group. Important data was compromised.
MongoDBAccording to the information shared by (the company) with KVKK, customer contact information and metadata of the relevant accounts were seized. While this personal information included name, surname and e-mail address, more information was leaked in the CRM application and customer support application used by large companies. KVKKAccording to the announcement of this data breach, 130 thousand with 160 thousand between Turkish user may have been affected.
The relevant statement made by KVKK is as follows:
“As it is known, paragraph (5) of Article 12 of the Personal Data Protection Law No. 6698, titled “Obligations regarding data security”, states that “In case the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. If necessary, the Board may announce this situation on its own website or through another method it deems appropriate.” commands its judgment.
In summary, in the data breach notification submitted to the Board by MongoDB Limited, which is the data controller;
- It was noticed on December 13, 2023 that a user account was making unusual and suspicious queries, and the investigation was deepened accordingly,
- There were findings that a limited number of data controller employees of an unknown third party gained unauthorized access to user accounts and accessed and downloaded personal data regarding users of some services,
- Although the investigations continue, it was determined on December 20, 2023 that customer contact information and metadata of the relevant accounts were leaked from the CRM application and customer support application,
- Affected personal data includes name, surname, address and e-mail addresses (usually business address); However, there are other data fields in the CRM application and customer support application; of these data;
- Data fields in the CRM application; Address, name, surname, title, account number, company name, address, telephone number (main, mobile, fax), e-mail, sales representative (MongoDB) name, surname, data fields in the Customer Support application; username (email address), last successful authentication time, last authentication method used, identifier for the user’s preferred time zone, alphabetic code for the user’s preferred time zone, user’s registration date, user’s first name, last name, unique user ID , information that the user has been invited but has not yet accepted the invitation, the user has limited permissions, the last time the page was viewed by the user, the number of times a user has logged in, whether the user has been blocked automatically or manually and whether the user has been deleted, the time they were deleted, email verification date , information that requires email verification, alternative email, information that enables multi-factor authentication, data fields for users of the deprecated multi-factor authentication (MFA) system; phone number used for deprecated MFA, phone number extension used for deprecated MFA, alternate phone number used for deprecated MFA, alternate phone number extension used for deprecated MFA, whether an authenticator device was used for deprecated MFA, deprecated MFA Information about whether the user wants to receive voice calls or not
is,
- Between 130,000 and 160,000 users from Turkey may have been affected by the breach,
- A public announcement about the violation was published at https://www.mongodb.com/alerts#general-alert on December 16, 2023,
- Contact persons [email protected] can receive information about the violation via e-mail address.
information is included.
Although the investigation on the issue continues, with the Decision of the Personal Data Protection Board dated 28.12.2023 and numbered 2023/2233, it was decided to announce the data breach notification on the Authority’s website.
It is announced to the public with respect.”