22.900 MongoDB databases, which were exposed to the internet without any password, were discovered by one hacker, who left notes asking for ransom.
The number of exposed databases corresponds to 47% of all MongoDB databases.
The hacker then threatens the company to leak the data, unless the ransom is paid in two days. In addition, to put more pressure on the situation, he says he will report the leak to the local authority GDPR.
Such attacks have been observed since early April 2020.
According to Victor Gevers, a security researcher at the GDI Foundation, the initial attacks did not include deleting data.
The intruder continued to be connected to the same database who left the note for the ransom and then returned again to leave another copy of the same note, a few days later.
However, it seems that now the hacker realized that he made a mistake and started cleaning the MongoDB databases, deleting all their data.
The recent attacks that have been discovered are just an advanced version of them attacks which began in December 2016. At the time, malicious agents had discovered that they could make a lot of money by clearing MongoDB servers and demanding ransom from their victims.
More than 28.000 servers fell victim in January 2017, another 26.000 in September 2017 and then another 3.000 in February 2019.
In 2017, MongoDB, Inc.'s Chief Product Safety Director, Davi Ottenheimer, accused database owners of failing to set passwords for them, leaving the servers exposed to the Internet.
Almost three years later, nothing seems to have changed. Of the 60.000 MongoDB servers that remained exposed to Internet in early 2017, the number dropped to just 48.000 today.
The default setup of MongoDB databases today comes with secure options, but we still have tens of thousands of exposed servers on a daily basis. If you are an administrator of MongoDB servers and want to secure them properly, the MongoDB security page is the best place to get the right advice.