A hacker has stolen an estimated 39 million account details — just by walking in and taking them.

The famous hacker, who goes by the moniker GhostShell, was capable to download a vast but unknown variety of databases from 110 distinct internet-connected servers that did not need qualifications.

The hacker managed to use port scanning tools — including Shodan.io, an internet search engine for web-connected apparatus — to find the databases, saved on public-facing servers running broadly-used database applications MongoDB.

The hacker included that many system administrators “do not bother checking for open ports on their recently configured servers,” which means anyone can get information without needing an username and password.

“This can essentially cause anyone infiltrating the network and handling their internal information with no hindrance. You do not even have to elevate your privileges, you have complete accessibility and simply join. It’s possible for you to create new databases, delete existing ones, change information, and a lot more,” the hacker said.

It is not immediately clear who they’re managed by, or what all the databases are for.

Many are hosted by well known suppliers, including Rackspace and Amazon Web Services.

Though every database differs, we could locate complete names, usernames, dates of arrival, email addresses, phone numbers, sexes, payment gateway advice (such as if a credit card was dropped), job titles and descriptions and even wedding days. We additionally found societal-related content, for example Twitter IDs and Facebook profile IDs, profile graphics, and tokens used to authenticate an user with a service.

Sometimes, we discovered complete e-mail content — some of it marked private.

We also discovered a ton of metadata, like connecting IP addresses, device information, geolocation info, browser types, User Agents (which could be used to discover and monitor an unique apparatus), when user accounts were created and when they last logged in — only to name some.

But oftentimes, there are blends of usernames or email addresses and plaintext passwords, which might enable a hacker to run additional intrusions.

He was also able to offer an at-a-peek view of whose information was caught up in the databases.

He additionally located more than 7,000 .edu addresses from schools and universities — most of which seem to be staff members.

One of many databases included about 140,000 unique email addresses. When inquired, GhostShell explained that this database included details on “the top IT of the most affluent corporations from the US” — or to put it differently, senior IT staff at high profile organizations, for example Apple, IBM, Microsoft, and even federal agencies like FBI.

That unsecured database NY-based cloud hosting business. A representative described the unsecured server in a statement.

If the customer uploads unguarded information onto a public site, it’s the clients’ obligation — Webair keeps no control over their choice to do so,” said the representative.

“I am not that keen on obstructing them,” GhostShell told me, referring to Webair. “But when you are a business so old, and with a capital so enormous… with high positions customers, you’d think they’d at least attempt to shield them,” he said.

The size of the cache that is downloadable places it at among the biggest violations this year — but it could have been much bigger, specified resources and time.