DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The MongoDB attacks: 93 terabytes of data wiped out

Posted on January 10, 2017 by Dissent

The other night on Twitter, after I and others communicated concern as the number of attacks on misconfigured MongoDB installations rose to 27,000  in a relatively short period, @Cyber_War_News and I had a respectful disagreement about the seriousness of the situation:

still shocked that yall shocked and fussing about the mongodb ransom spike.

— CWN (@Cyber_War_News) January 8, 2017

@PogoWasRight well we all know 95% are dev and waste databases, others are most likely backed up, i see no major issue really

— CWN (@Cyber_War_News) January 8, 2017

In light of the above, I thought I’d highlight what we can learn from the MongoDB ransacking sheet created by Victor Gevers and Niall Merrigan. They’ve added a sheet about the victims they’ve provided assistance to. For the first 118 victim entries, consider the following:

  • Only 13 report that they had recently backed up the now-wiped database; the rest reported no recent backups.
  • 7 reported paying the ransom; none of those had gotten their data back.
  • 86 of the databases (73%) were production databases, with an additional 11 instances being coded as “staging,” and 4 instances coded as “development.” The remaining were coded as “unknown,” left blank, or had other designations.

Maybe the first 118 cases are an atypical sample of the more than 27,000 that have been hit, but also consider this:

For the 40+ U.S. entries in the sheet, the production databases included:

  • a travel organization that issued tickets and stored search and customer data in the database;
  • an online advertising firm that stored online ads tracking data;
  • a school that stored a student database;
  • an Internet app (Social Media) that stored user data;
  • a Consumer Services organization that stored customer data;
  • an Online Media entity that stored customer data;
  • an Online Service (Webshop) that stored orders and customer data; and
  • an Online Service (Financial) that stored transaction logs.

Many other U.S. entries were noted as “production” without more specific information entered yet.

And of course, the problem is not confined to U.S. databases. A French healthcare research entity had its database with cancer research data wiped out. They reported no recent backup. And an online financial service in Argentina also had its production database wiped out; that one contained payroll data. They, too, had no recent backup.

As of yesterday, more than 93 terabytes of data had been wiped out.

So should we be concerned about these attacks? I think we should.

But in light of the fact that this is not a new problem, will the Federal Trade Commission consider any enforcement actions against some entities for not using “reasonable security” to protect personally identifiable information? Could the FTC argue that even if they haven’t specifically provided any guidance on MongoDB or other NoSQL databases, the information was out there and entities or their third-party vendors should have known by now?

This post was edited post-publication as it was accidentally posted before completion.

 

 

Category: Breach IncidentsHackOf Note

Post navigation

← Minneapolis settles more lawsuits over snooping in driver database
UK: £150,000 fine for insurance company that failed to keep customers’ information safe →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.