Database containing personal info of 106 million international visitors to Thailand was exposed online

[fdsa]

A bit of technical detais: there is a piece of shít software called "MongoDB" which was created by some IT student on vacation, having no knowledge in informational security or computer networks.

Fun facts:

- by default this database binds to all network interfaces it could find (not the usual 127.0.0.1 local address that all adequate databases would do) thus exposing itself to the Internet rather than the local net.

- by default this database has no authentication at all, thus giving any stranger that connects to the database a full access to all data inside. The authentication in this database is very untrivial to setup so even if you try to make some login and password you might make a mistake and still allow full access to all data inside.

- this database became very popular among the unexperienced programmers because it is BLAZING FAST (the reason is - this database simply stores all data in RAM and every single other database would be as fast if you would store its data in RAM too. But actually if your tables have a complex structure then MongoDB will work much slower than the other databases.).

- and because of that popularity you could see those multi-gigabytes leaks found every single day.

 

 

 

Edited September 21, 2021 by fdsa

[NanaSomchai]

24 minutes ago, fdsa said:

A bit of technical detais: there is a piece of shít software called "MongoDB" which was created by some IT student on vacation, having no knowledge in informational security or computer networks.

Fun facts:

- by default this database binds to all network interfaces it could find (not the usual 127.0.0.1 local address that all adequate databases would do) thus exposing itself to the Internet rather than the local net.

- by default this database has no authentication at all, thus giving any stranger that connects to the database a full access to all data inside. The authentication in this database is very untrivial to setup so even if you try to make some login and password you might make a mistake and still allow full access to all data inside.

- this database became very popular among the unexperienced programmers because it is BLAZING FAST (the reason is - this database simply stores all data in RAM and every single other database would be as fast if you would store its data in RAM too. But actually if your tables have a complex structure then MongoDB will work much slower than the other databases.).

- and because of that popularity you could see those multi-gigabytes leaks found every single day.

 

 

 

Finally someone who knows what they're talking about.

 

I wish the industry standard would stop using MongoDB and switch to MySQL but then again, no matter how tightened and hardened the DB server is, there's no cure against SQL injections and cross site scripting kiddies due to "poor code" on the developer's end just as there will NEVER be anything really secure in this World as long as you'll have idiots using "123456" or "password" as... you guessed it... password.

 

I must admit binding a listening daemon with 0.0.0.0:* as ACL on a publicly not firewalled IP address is pretty reckless though, if not downright stupid.

 

But then again this is Thailand, nothing surprises me anymore here.

 

 

 

[tigerfeet]

7 hours ago, trainman34014 said:

Similar thing happened to me three years ago when i was given someone else's papers.    I've also had my name spelt wrong on many occasions on Bank Letters and Bank Books even after it's taken them half an hour to produce them and three different people involved.  Naturally it takes another half an hour to rectify things, no apologies, only giggles.  Thai Banks are the most inefficient i have ever come across anywhere on The Planet !

Same in all walks off life hear .if your mum dad or family work at a bank you get a job if your dad is police so are you .no matter what your education 

[hotchilli]

9 hours ago, webfact said:

An unsecured database containing international travel records dating back 10 years was left exposed on the web

Me thinks they need to get someone with cyber security knowledge in quickly and start training them beyond kindergarten level.

[hotchilli]

7 hours ago, trainman34014 said:

Similar thing happened to me three years ago when i was given someone else's papers.    I've also had my name spelt wrong on many occasions on Bank Letters and Bank Books even after it's taken them half an hour to produce them and three different people involved.  Naturally it takes another half an hour to rectify things, no apologies, only giggles.  Thai Banks are the most inefficient i have ever come across anywhere on The Planet !

Conversely if a Thai person [or any other nationality for that matter] went to a bank in your home country, and requested a document printed in Thai script, would they be able to do it flawlessly?

[Caldera]

Safe and Trusted Thailand, you say? ????

[biggles45]

Yes, if it was one of the languages supported by the printer.  The instructions on how to print would be in my home country language so easy to do, just select the language, as it should be in Thailand. 

[SuwadeeS]

I Bet, someone Sales the Data for big Bugs.

Now, These days, this Kind of Data is be Trades as normal as Rice.

[Ginner]

6 hours ago, HeijoshinCool said:

.

 

Meh, commented the PM, we don't care, because....

 

We're now only going after affluent big spenders. Peons can go somewhere else. Try the Philippines.

 

Did I mention we are opening for tourism on October 1st?

Friends at immigration are expecting the yearly amount of 800,000 for ret to be  recalculated and but up to between 1 million and 1,500.000. Just talk at the moment, but with their efforts to get big money spenders in and one beer every 5 hours bar flies out. Ha!

[Uroller]

7 hours ago, FritsSikkink said:

The Thai bashers missed the last part of the article in the link:

Comparitech has published many data incident reports like this one, including:

• 35 million US residents’ personal details exposed on the web
• India visa agency exposes 6,500 traveler’s visa applications on the web
• Prison phone service Telmate exposes messages, personal info of millions of inmates
• Social media data broker exposes nearly 235 million scraped profiles
• UFO VPN exposes millions of logs including user passwords
• 42 million Iranian “Telegram” phone numbers and user IDs were breached 
• Details of nearly 8 million UK online purchases leaked
• 250 million Microsoft customer support records were exposed online
• More than 260 million Facebook credentials were posted to a hacker forum
• Almost 3 billion email address leaked, many with corresponding passwords
• Detailed information on 188 million people was held in an unsecured database

-- © Copyright  comparitech 2021-09-21

And your point is????

[jacko45k]

14 minutes ago, Ginner said:

Friends at immigration are expecting the yearly amount of 800,000 for ret to be  recalculated and but up to between 1 million and 1,500.000. Just talk at the moment, but with their efforts to get big money spenders in and one beer every 5 hours bar flies out. Ha!

And these friends have connections to those who can enact such changes? I would see such a change as a simple effort to get more people to pay agents to arrange retirement extensions. 

Edited September 21, 2021 by jacko45k

[NightSky]

7 hours ago, kotsak said:

I never had spam calls and SMS bothering me for the past 10 years until I started registering for the vax programs..  ????

that’s a coincidence. I didn’t receive Thai related email spam from ‘Asian girl looking for fun’, until I signed up for thai visa!

[aussienam]

Khaosan Road passport vendors just hit the jackpot for making fake passports.  Lots of names and numbers to choose from.  As well as overseas. 

Edited September 21, 2021 by aussienam

[Jimbo2014]

Thailand 4.0... 4 times the wait, 4 times the paperwork, 4 times the online exposure!

[FritsSikkink]

27 minutes ago, Uroller said:

And your point is????

That a lot of people think that they and their country are way better then here and that is doubtful. You hear people complaining about an App not working, saying the developers are dumb while they are too stupid to click the upload button. 

I do agree that there are Websites and Apps here that should be working a lot better and safer but that is the same in other countries.

Edited September 21, 2021 by FritsSikkink

[Bangkok Barry]

8 hours ago, ThailandRyan said:

Had my second vaccination at MedPark hospital on last Thursday.  When my 30 minutes was up the nurse took my blood pressure and handed me what I thought was my vaccination certificate. It was all in Thai, and then I noticed the birthdate was for someone born in 1988 and was a female.  I went back to the nurse and showed her the certificate and she apologized, but could not find my actual certificate.  Another was then re-printed for me.  Question is does the lady whose certificate I was given have mine or one of a hundred others getting their vaccination that day.  No one bothers to check what they are handing out it appears.  My doctors office hands me the paperwork while still holding on to it and asks me to verify the information is mine and is true and correct.  I then have to sign the bottom of the top copy then review the copy being given to me and then they put the paperwork in an envelope and hand me the slip to give to the cashier.......Not all things are equal it appears from hospital to hospital and when you have a mass amount of folks it appears folks get complacent, just like whoever left the database unlocked for immigrations travelers.....

I was vaccinated, second jab, a week ago and still don't have the certificate as their computer system wasn't working. I was told I will get it sometime, somehow, somewhere. I really, really have no idea how Thailand manages to function at all as so many things don't work and so many people really have no idea what they are doing. It's like dealing with 7 year olds.

[MrJ2U]

By now they have all our information with all the data leaks here and elsewhere around the world.

 

A good thing you can do is invest in a password manager.

 

 

[fdsa]

5 minutes ago, FritsSikkink said:

That a lot of people think that they and their country are way better then here and that is doubtful.

With my more than 10 years experience working in IT and a bit of infosec lately I could say that it is not even doubtful but absolutely clear that all countries have awful gaping holes in their computer systems and all countries have ignorant programmers having no clue (or giving no <deleted> about) what they are doing.

And the closer to the government the worse the computer systems and programmers are, because they usually get contracts for being someone's relative and not for being a good programmer.

[sirineou]

8 hours ago, FritsSikkink said:

The Thai bashers missed the last part of the article in the link:

Comparitech has published many data incident reports like this one, including:

• 35 million US residents’ personal details exposed on the web
• India visa agency exposes 6,500 traveler’s visa applications on the web
• Prison phone service Telmate exposes messages, personal info of millions of inmates
• Social media data broker exposes nearly 235 million scraped profiles
• UFO VPN exposes millions of logs including user passwords
• 42 million Iranian “Telegram” phone numbers and user IDs were breached 
• Details of nearly 8 million UK online purchases leaked
• 250 million Microsoft customer support records were exposed online
• More than 260 million Facebook credentials were posted to a hacker forum
• Almost 3 billion email address leaked, many with corresponding passwords
• Detailed information on 188 million people was held in an unsecured database

-- © Copyright  comparitech 2021-09-21

Since Comparitech has published many data incident reports and the transgressions are publisized and easy to find, as you have shown , then IMO the Thai government should not had used them. 

If you were in charge of safeguarding such personal information for the public, would you have used them?

At best the Thai government can claim ignorance IMO.

[Bangkok Barry]

1 hour ago, hotchilli said:

Conversely if a Thai person [or any other nationality for that matter] went to a bank in your home country, and requested a document printed in Thai script, would they be able to do it flawlessly?

English is an international language recognised everywhere. Thai is used by, at a guess, 100 million throughout the entire world, nearly all of whom are in one insignificant country. In the real world, official documents would be checked carefully before being issued, and mis-spelt names even in Thai script would be spotted. It is a case of doing a job 'near enough' or doing it properly. Thailand all too often does 'near enough'.

[Uroller]

39 minutes ago, FritsSikkink said:

That a lot of people think that they and their country are way better then here and that is doubtful. You hear people complaining about an App not working, saying the developers are dumb while they are too stupid to click the upload button. 

I do agree that there are Websites and Apps here that should be working a lot better and safer but that is the same in other countries.

I never picked that sentiment up from the posts, just the fact of the information leak????

[Thunglom]

Thai government and business web sites are usually just a joke - they constantly don't work or do what they are meant to do and you are left with the feeling that they go unmonitored for weeks on end. So a breach like this is no surprise.

[chalawaan]

One more reason for sane foreigners never to return until the clown show finally ends and a reformed era begins. I predict that will be the in year twenty oh never.

[chalawaan]

50 minutes ago, FritsSikkink said:

That a lot of people think that they and their country are way better then here and that is doubtful. You hear people complaining about an App not working, saying the developers are dumb while they are too stupid to click the upload button. 

I do agree that there are Websites and Apps here that should be working a lot better and safer but that is the same in other countries.

Ah THAT'S why the ninety day report site is a steaming pile of poopoo, it's all my fault! (how Thai is that!) I didn't press the upload button. I feel a hot rush of shame followed by great relief!

To which office should I report to to prostrate myself and offer deep apologies?

[Bkktodd]

9 hours ago, trainman34014 said:

Similar thing happened to me three years ago when i was given someone else's papers.    I've also had my name spelt wrong on many occasions on Bank Letters and Bank Books even after it's taken them half an hour to produce them and three different people involved.  Naturally it takes another half an hour to rectify things, no apologies, only giggles.  Thai Banks are the most inefficient i have ever come across anywhere on The Planet !

Maybe they spell thai names better in thai.  English is not their first language….guess you forgot.  “My friend you” should remind you.  ????

[Bkktodd]

1 hour ago, Bangkok Barry said:

I was vaccinated, second jab, a week ago and still don't have the certificate as their computer system wasn't working. I was told I will get it sometime, somehow, somewhere. I really, really have no idea how Thailand manages to function at all as so many things don't work and so many people really have no idea what they are doing. It's like dealing with 7 year olds.

The same happened to my mate but he got a call and picked up his vaccination card properly prepared.  Maybe back home in your country they go things better.  Oh but you choose to diss Thailand for all its flaws.  Pension goes along way here.  Price you pay for misspellings

Edited September 21, 2021 by Bkktodd

[ThLT]

Anyway to see if your data is part of that 106 million???

[ThailandRyan]

4 minutes ago, ThLT said:

Anyway to see if your data is part of that 106 million???

Well lets see the OP says the data going back 10 years for those entering Thailand was taken pretty much says that anyone who has entered during the past 10 years has been exposed.  Of course that is just my view from reading the OP and article.

 

"An unsecured database containing international travel records dating back 10 years was left exposed on the web"

The personal details of more than 106 million international travelers to Thailand were exposed on the web without a password, Comparitech researchers report. The database included full names, passport numbers, arrival dates, and more.

Edited September 21, 2021 by ThailandRyan

[ThLT]

3 minutes ago, ThailandRyan said:

"An unsecured database containing international travel records dating back 10 years was left exposed on the web"

The personal details of more than 106 million international travelers to Thailand were exposed on the web 

There have been more than 106 million travellers in Thailand, especially in 10 years. Before COVID, there were 30-40 million per year.

 

So there's around a 1/3 chance that we are on there.

[bangon04]

This leak could be problematic - it may be possible to specify from the database - how many individuals entered more than once per year, how many individuals entered on visas other than tourist, etc etc.

It could reduce the TAT statistics for "tourist" arrivals ......