Connect with us

Hi, what are you looking for?


Data Protection

33,000 Databases Fall in MongoDB Massacre

Nearly 33,000 MongoDB databases have been hijacked as of today, the latest numbers associated with a series of attack campaigns that have been picking up pace over the past couple of weeks show.

Nearly 33,000 MongoDB databases have been hijacked as of today, the latest numbers associated with a series of attack campaigns that have been picking up pace over the past couple of weeks show.

What started as a seemingly isolated incident in December turned out to be a massacre targeting insecure, Internet exposed MongoDB databases worldwide. Now, multiple actors are attempting to cash in on organizations’ failure to properly secure their web-based databases.

Initially, a single hacker was observed hijacking MongoDB databases, stealing their content, and holding it for ransom. The actor was asking for a 0.2 Bitcoin ransom, and tens of organizations paid it within the first two weeks alone.

Soon after the initial round of attacks made it to the headlines at the beginning of the year, things escalated as more hackers decided to join the campaign. Currently, MongoDB databases are being attacked by nearly two dozen hackers, and the pace at which databases have been hacked has increased dramatically.

Within days, tens of thousands of MongoDB databases fell to the massacre, as the number rose from only 10,000 on Friday to nearly 33,000 as of this morning. According to a tweet from Cap Gemini’s Niall Merrigan, the system database names are no longer at the top of the stats, as the ransomed database name managed to climb to the leading position on Tuesday.

These attacks are easy to perform because the exposed databases can be discovered using online tools, and installations aren’t secured by default. In fact, while other databases require some form of credentials and are local installations, MongoDB databases are exposed to the Internet right from the start and require no credentials whatsoever.

Ethical hacker Victor Gevers, who was the first to discover the attack, told SecurityWeek that some companies in fact fail to secure their databases even after they’ve been hacked. “But do not underestimate how unwise some organizations respond when they find out their database was stolen. They remove the note and just restore the database, but leave the server still open,” he said.

Advertisement. Scroll to continue reading.

Dubbed “MongoDB ransack,” the campaign is closely monitored by Merrigan and Gevers. The latter has been long searching for insecure databases to warn companies of the risk they pose. However, many of his responsible disclosures remained unanswered, with 138 of last year’s reports suffering such a fate.

More recently, attackers began looking to cash in on the hype surrounding the campaign, and one of them decided to sell the software used for hijacking the databases. The tool is called Kraken Mongodb ransomware, and its C# source code is offered for only $200 in Bitcoin.

One of the effects of this entire campaign is that the amount of data stored in MongoDB databases has decreased significantly over the past weeks. According to Morrigan, 114.5 Terabytes of data was lost in less than three days as a result of these attacks.

In fact, the security researchers monitoring the situation have already warned that most of the attackers are no longer holding the databases for ransom, but are simply deleting them and pretending they still have the data.

In some cases, the same database is hit multiple times, as the attackers are going for the same pool of targets, meaning that organizations could end up paying the ransom to the wrong attacker. Victims should not only refrain from paying the ransom, but should also ask for “proof-of-life” when contacting the attackers, to ensure their data still exists.

As long as an organization has the proper network monitoring tools in place, it is possible to tell whether the database has been copied or deleted, Gevers says. This, however, requires matching tracked outbound traffic with the number of simultaneous connections in the log file and the duration of these connections. This allows researchers to estimate how much data was exfiltrated.

There are over 50,000 publicly accessible MongoDB databases on the Internet at the moment, and it might not be too long before all of those that haven’t been properly secured are hijacked. According to Gevers, all of the insecure databases could be ransacked in a couple of weeks, maybe even faster.

As it turns out, one of the MongoDB databases hit in the ongoing ransack belongs to the Princeton University, yet it’s uncertain whether it would be able to recover the data or not. According to, which discovered the attack, the University hasn’t commented on the incident as of now, and there’s no info on what kind of information the affected database included.

While he wouldn’t name any of the affected organizations that asked for help so far, Gevers did confirm once again that they are from various industries, including IP, healthcare, online gambling, financial services, trading, and travel/booking. Many online services were also hit in the attack, the researcher said.

In the meantime, organizations with MongoDB databases are advised to take the proper steps to secure their installations and ensure they don’t fall victim to this attack. Last week, MongoDB published a blog post providing details on how admins can secure the databases.

Related: Multiple Attackers Hijacking MongoDB Databases for Ransom

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...