27,000 MongoDB servers have their data wiped, receive ransom demand for its safe return

Here’s what you need to know.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

27,000 MongoDB servers have their data wiped, receive ransom demand for its safe return

What’s happened?
Tens of thousands of unprotected MongoDB databases have been taken hostage by hackers, who have wiped data from company servers and are demanding a ransom be paid for the safe return of the information.

Typical victims include hospitals, small businesses and educational institutions.

Some have suggested that the number of affected databases could be in the region of 27,000.

Sign up to our free newsletter.
Security news, advice, and tips.

MongoDB? What’s that?
MongoDB is an open source document database.

And it has a vulnerability that the hackers were able to exploit? Sheesh…
Not so fast. There are security measures built into MongoDB, it’s just that some users don’t bother to use them. For instance, some MongoDB administrators have been leaving their systems accessible to the open internet, without having so much as an admin password in place.

Why would anyone be running an open MongoDB instance?
Because they like living dangerously? Because they get a kick out of being reckless with people’s data?

Seriously, there’s no good reason. It’s a crazy thing to do.

I’m sure I’ve heard of people breaking into unsecured MongoDB databases before and stealing data
Yup, it’s not rocket science. For instance, a researcher stumbled across the details of 13 million Mac users after controversial firm MacKeeper left them exposed for any Tom, Dick or Harry to see in an unprotected MongoDB instance.

But what’s different in this case is that an intruder is not just claiming to steal the data, they’re also wiping the victim’s copy and attempting to extort a Bitcoin ransom:

“SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !”

“Claiming” to steal the data?
Yes. Data has definitely been wiped – we know that. And ransom demands for its safe return have been made. What we don’t know is whether it’s actually true that data has been stolen. That would, after all, be a lot of data to steal from many different systems. It’s possible that the attackers are just taking a punt with their ransom demand… but don’t actually have the data to return.

I see. So, might MongoDB instances that are protected by a password or are not accessible via the public internet also be at risk?
To date the attacks have only been against MongoDB instances that have been left wide open by lackadaisical administrators. In theory it might be possible to launch attacks against instances where admins have used easy-to-guess passwords, but there’s no reason to believe that’s likely to happen at the moment.

The message is simple – use strong, unique passwords and don’t connect things to the internet unless they need to be connected to the internet.

Yes, you’ve heard that advice before. No, people don’t seem to be getting the message. Sigh…

What is the company behind MongoDB doing about it?
I imagine it is feeling pretty frustrated that some of their users are being so careless with the software.

MongoDB Inc clearly needs to reach out to the community and underline the importance of not having unsecured instances of MongoDB running openly on the net. It has posted some advice for users on its website.

Of course, the damage is somewhat lessened if you had taken the precaution of backing up your database. If that’s the case then you only have the embarrassing problem of explaining to your customers that their data has perhaps been stolen and personal information exposed, rather than be utterly incapable of doing any business.

However, if you’re the kind of outfit that doesn’t have an admin password for your database and leaves it open to the internet then I don’t hold out much hope that you’ve been making backups…


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “27,000 MongoDB servers have their data wiped, receive ransom demand for its safe return”

  1. Michael Ponzani

    Password Boss, use password boss.

  2. Clayton

    Maybe services shouldn't ever be wide open by default. Ever.

  3. Greg Martin

    How do you not call out Mongo for shipping a product with insecure defaults? We learned this years ago.

    1. Graham CluleyGraham Cluley · in reply to Greg Martin

      Fair point.

      Let me be clear then – I think it sucks that default installations of MongoDB are so clearly insecure.

      1. infosectdk · in reply to Graham Cluley

        Quite clearly MongoDB could patch/update the installation release to their databases to make it secure by default, or at the very least "lazy" admins have to make and effort to undo the fixes?

        An Admin has no excuse to their bosses if there is a breach and their "newer" version is the problem due to a lazy admin?

        Obviously the legacy issues – and it is always legacy issues isn't it, is the major problem.

        Also a culture issue. We bang on at end users to be more savvy and secure, but I really think the c-level exec people don't have a clue and need to get a grip.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.