Around 23k MongoDB database wiped and threatened to pay ransom


This hacker targeted 22,900 misconfigured MongoDB databases to pay the ransom and threatens to leak the data and alert GDPR regulators

MongoDB is a cross-platform document-oriented database program. Classified as a NoSQL database program, MongoDB uses JSON-like documents with optional schemas. MongoDB is developed by MongoDB Inc. and licensed under the Server Side Public License (SSPL). Due to the default security configuration of MongoDB, allowing anyone to have full access to the database, data from 22,900 of MongoDB installations has been stolen. Furthermore, many MongoDB servers have been held for ransom.

According to ZDNet, an unknown cybercriminal has targeted 22,900 unsecured MongoDB databases, wiping their contents and leaving behind a ransom note demanding bitcoin in return for the data. It was found that the hacker used an automated script to scan for misconfigured MongoDB databases that face the internet with no password protection, deleting their contents, and asking for 0.015 bitcoins (some $140) to return the data.

As per the ransom notes that are named (READ_ME_TO_RECOVER_YOUR_DATA), if the owners of the misconfigured databases fail to make the payment within two days, the data stored in their respective databases will be leaked online and the leaks will be reported to the owners’ local General Data Protection Regulation (GDPR) enforcement authority, thereby attracting penal action.

Victor Gevers, a security researcher at GDI Foundation, told ZDNet that while the hacker had begun planting ransom notes on misconfigured MongoDB databases from April this year, the hacker is now actually wiping data from these databases and a lot of these databases contain production data critical for organizations.

The researcher, whose responsibilities include reporting exposed servers, stated that he noticed the wiped systems while checking on MongoDB databases he was supposed to report so they could be secured. “Today, I could only report one data leak. Normally, I can do at least between 5 or 10,” he added for ZDNet.

However, It is yet to be discovered who has been doing the threat activity and threatening MongoDB users. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments