Hackers replace customer data on unprotected MongoDB with ransom note

• The open database which belongs to a bookseller in Mexico named Librería Porrúa contained almost 2.1 million purchase details and customer records.
• The ransom note stated that the contents of the database are backed up on the attacker's servers and demanded a ransom payment of 0.05 BTC worth $500 to recover the data.

What happened?

Hackers who found an unprotected MongoDB instance which was publicly accessible without any authentication erased all the contents of the database and replaced them with a ransom note.

What was contained in the database?

The open database which belongs to a bookseller in Mexico named Librería Porrúa contained almost 1.2 million customer records, including:

• Customers’ personal details such as names, dates of birth, email addresses, and phone numbers
• Purchase details such as shopping cart ID, discount codes, activation codes and token, invoices, and payment card details.

Additionally, the database stored 958,000 personal data records including client ID, names, dates of birth, email addresses, phone numbers, user tokens, discount card activation codes, and discount card activation dates.

The big picture

Security researcher Bob Diachenko discovered the MongoDB instance on July 15, 2019. Three days later, Diachenko noticed that the contents of the database have been wiped and replaced with a ransom note.

The ransom note stated that the contents of the database are backed up on the attacker's servers and demanded a ransom payment of 0.05 BTC worth $500 to recover the data.

Upon discovery, Diachenko reported the incident to Librería Porrúa, however, did not hear back from the company. The researcher added that whether Librería Porrúa paid the ransom is unclear, however, even if it did, that doesn’t mean the information in the database is secure. The hackers could still have a copy stored elsewhere.

“The people whose information was exposed could be at risk of spam, targeted phishing, and fraud. For example, affected users might receive emails claiming to be from Librería Porrúa with a link to a fake Librería Porrúa website. Users might be directed to enter login details on the identical fake website, giving hackers their passwords,” Diachenko said.