Millions of Iraqis had their phone numbers and associated locations exposed after somebody left an open dataset containing user data allegedly from two major Middle Eastern telecommunication providers.
The latest analysis from the Cybernews research team shows that someone could be hoarding masses of private data. In late August, the team stumbled upon an unprotected MongoDB instance containing the details of 14 million people.
The database holds two collections of information named after two major telecommunications companies: Zain and Asiacell. Headquartered in Kuwait, Zain services customers in Bahrain, Iraq, Jordan, Saudi Arabia, South Sudan, Sudan, Morocco, and the UAE. Meanwhile, Asiacell is the oldest Iraqi telecom.
The leaked data most likely covers customers in Iraq, as both Zain and Asiacell are the country's top three telecommunication service providers. According to the team, the exposed instance had nearly four million records in the first collection and over 11 million in the second.
We have reached out to both companies and according to Asiacell, no data was leaked from the organization's systems.
“We take Cybersecurity and confidentiality of our data very seriously, and we have robust measures in place to protect it,” the company told Cybernews.
We have not received a comment from Zain but will update the article once we receive a reply.
What data was exposed?
While it’s impossible to check for duplicates as the team did not download the data, a combined exposure of 14 million people would represent nearly a quarter of Iraq’s population. Moreover, different customer details were revealed in both data collections in the exposed instance.
Customer details allegedly linked to Zain include:
- Phone numbers
- Names
- Addresses
Meanwhile, customer data allegedly linked to Asiacell revealed:
- Names
- City
- Status (active or non-active)
- Phone numbers
- Dates of birth
- ID numbers
“Having national ID numbers and other personal details exposed poses severe privacy implications to the affected individuals. Data, which seems to be linked to users of major telecom providers like Zain and Asiacell, presents a significant risk of targeted fraud, identity theft, and other malicious activities,” our researchers said.
According to the team, the exposed instance was closed soon after the team detected it. However, if our researchers managed to find it, attackers with less high-minded goals in mind might have, too. Malicious actors continuously scour the web to open databases, downloading anything open to the public almost instantly.
Interestingly, since the database contains information from two competing companies, the MongoDB instance’s owner could be a malicious actor. So far, the team has not been able to determine the owner of the instance.
“Those affected should take immediate precautions, such as monitoring their accounts for any suspicious activity,” our researchers said.
Disclosure timeline
- August 26th, leak discovered
- Possibly taken down/closed within a couple of days after discovery
- November 5th, Asiacell and Zain contacted
Your email address will not be published. Required fields are markedmarked