> On the next screen I just hit the connect button to see what would happen:

> Not really sure what it does, but I found several Droisys e-mail addresses in the database and decided to mail them that their database was exposed on the internet.

Oh man, this is a bad idea.

If you find something out there that you think you can connect to - poor password, no password, etc - you must be very careful.

In some cases, just reporting it will cause you problems. At this point, you probably haven't broken the law but some companies are just jackasses.

But once you connect, the game changes. It is "unauthorized access" and it's probable that you broke your local laws. At that point, it's not just a jackass company that gets involved, it's local law enforcement too.

And then you get data from the database. It's probably going to get even worse for you.

When you go a step further and share a howto on the web... this is a bad idea all around.

This is not proper disclosure. If I was him, I'd get a good lawyer.

In the words of Phineas Fisher:

"NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they'd finally patched all of the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design."

From his account of the Hacking Team Hack, worth a read if you missed it.

http://pastebin.com/raw/0SNSvyjJ

So you do everything you can to hide the IP address, but reveal that the domain is-savvy.nl resolves to it.

Either you're not actually that good at IT security or you're just making a huge brain fart.

    $ dig +short is-savvy.nl
    37.59.238.165

So it's not really a mystery what the X.X.238.165 and X.X.238.166 addresses actually refer to.

Wouldn't it be better and easier to do a WHOIS lookup on the actual IP address, and email whoever shows up there? Sometimes you'll get the hosting provider (and they can contact the customer for you, maybe even anonymously), and sometimes you'll find the company itself.

At least you're not bouncing around domains which can be pointed anywhere

I don't know why he bothered to blank out the IP address for is-savvy.nl. DNS will tell you that there is literally one A record which matches the last two bytes.

>The database had no username and password configured to protect it, so I assumed it was a public database with data for everyone to see ;-)

No, a wink won't protect you in court. You illegally accessed someone's data. As they say: just because the house is unlocked doesn't mean you're allowed in. Pray this doesn't get you in trouble. Sjonge jonge jonge...

For those having a trouble to access the site, this is the archive version: https://web.archive.org/web/20160514214255/http://sijmen.ruw...

A few years back I anonymously reported a huge data leak. Weeks later they asked for my name and address so they could "send me a gift".

To this day they still haven't fixed the leak. And I took a pass on that "gift".

What kind of laws apply in this locality?

In the US I wouldn't be able to connect to their MongoDB server without it being a crime, password or not.