Hacker ‘Gold Rush’ Deletes 27,000 MongoDB Databases

- January 9, 2017

Last week it became clear that opportunistic extortionists were targeting large numbers of unprotected MongoDB databases. The attackers have been deleting the original databases and demanding bitcoin to restore them.

MongoDB is a free database storage platform many developers use to host site content. The platform has many security features, but they are often not implemented by developers who either don’t care to or don’t know better. The result is tens of thousands of databases that are open to the Internet and do not require authentication. Hackers are using Internet scanning tools like Shodan to find them and use them as a ransom victim.

The operation started sometime late last year.

Screen Shot 2017-01-09 at 10.14.13 PM

Now, in what some are referring to as a hacker ‘gold rush,’ multiple extortionists are finding unsecured MongoDB databases, cloning them and deleting the original database, replacing it with a warning message to pay bitcoin. The total number is currently more than 27,000 databases at time of publishing.

While initially the operation was being conducted by a single identity known as Harak1r1, others quickly jumped on the opportunity, some even replacing rival hackers’ messages with their own demand for bitcoin.

Victor Gevers, co-founder of the GDI Foundation, has been working with fellow researchers to catalog the affected databases, as well as helping those who reach out restore their data. According to the researchers’ records, more than 100 companies and organizations from all over the globe have reached out for help.

Software security engineer for MongoDB Andreas Nilsson on Friday has also published a blog with instructions to help those who operate MongoDB determine if their database has been targeted, and what to do if it has.

Nilsson suggests that anyone who has lost access to their data file a ticket with service engineers at MongoDB. MongoDB also has a security checklist for developers who are unfamiliar with security.