Hacker Left Ransom Notes on 22,900 Exposed MongoDB Databases

NoSQL databases like MongoDB, that are widely used in online applications, are subject to several risks and can lead to a data breach if not configured properly. In June, the ZDNet security team found a hacker using an automated script to scan for misconfigured MongoDB databases.

What happened

The hacker uploaded ransom notes on approximately 22,900 unsecured MongoDB databases left exposed online, which is roughly 47% of all MongoDB databases accessible online.
  • The attacks started as early as April 2020, but it didn't include the data wiping step. The attacker soon realized that he made a mistake in the script and he corrected it to actually wipe MongoDB databases clean.
  • The hacker wiped their content and left a ransom note behind demanding for a 0.015 bitcoin payment.
  • The hacker was giving companies two days to pay and threatened to leak their data and then contact the victim's relevant local General Data Protection Regulation (GDPR) enforcement authority to report their data leak.

Nothing appears to have changed

The MongoDB ransom attacks peaked in 2017 and have continued since then. There have been several incidents when misconfigured databases have led to exposure of sensitive data of millions of users.
  • In March, researchers discovered an unsecured MongoDB database residing on an Amazon Web Services (AWS) server, containing nearly eight million sales records of UK shoppers.
  • In February, two online exposed MongoDB databases leaked the personal information of thousands of students of the Institute of International Education (IIE), a US-based educational organization.

Security tips

Organizations should change their security approach from access centric to data-centric to protect their data. Users should encrypt their data properly to avoid any misuse of data.