DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

The MongoDB attacks: 93 terabytes of data wiped out

Posted on January 10, 2017 by Dissent

The other night on Twitter, after I and others communicated concern as the number of attacks on misconfigured MongoDB installations rose to 27,000  in a relatively short period, @Cyber_War_News and I had a respectful disagreement about the seriousness of the situation:

still shocked that yall shocked and fussing about the mongodb ransom spike.

— CWN (@Cyber_War_News) January 8, 2017

@PogoWasRight well we all know 95% are dev and waste databases, others are most likely backed up, i see no major issue really

— CWN (@Cyber_War_News) January 8, 2017

In light of the above, I thought I’d highlight what we can learn from the MongoDB ransacking sheet created by Victor Gevers and Niall Merrigan. They’ve added a sheet about the victims they’ve provided assistance to. For the first 118 victim entries, consider the following:

  • Only 13 report that they had recently backed up the now-wiped database; the rest reported no recent backups.
  • 7 reported paying the ransom; none of those had gotten their data back.
  • 86 of the databases (73%) were production databases, with an additional 11 instances being coded as “staging,” and 4 instances coded as “development.” The remaining were coded as “unknown,” left blank, or had other designations.

Maybe the first 118 cases are an atypical sample of the more than 27,000 that have been hit, but also consider this:

For the 40+ U.S. entries in the sheet, the production databases included:

  • a travel organization that issued tickets and stored search and customer data in the database;
  • an online advertising firm that stored online ads tracking data;
  • a school that stored a student database;
  • an Internet app (Social Media) that stored user data;
  • a Consumer Services organization that stored customer data;
  • an Online Media entity that stored customer data;
  • an Online Service (Webshop) that stored orders and customer data; and
  • an Online Service (Financial) that stored transaction logs.

Many other U.S. entries were noted as “production” without more specific information entered yet.

And of course, the problem is not confined to U.S. databases. A French healthcare research entity had its database with cancer research data wiped out. They reported no recent backup. And an online financial service in Argentina also had its production database wiped out; that one contained payroll data. They, too, had no recent backup.

As of yesterday, more than 93 terabytes of data had been wiped out.

So should we be concerned about these attacks? I think we should.

But in light of the fact that this is not a new problem, will the Federal Trade Commission consider any enforcement actions against some entities for not using “reasonable security” to protect personally identifiable information? Could the FTC argue that even if they haven’t specifically provided any guidance on MongoDB or other NoSQL databases, the information was out there and entities or their third-party vendors should have known by now?

This post was edited post-publication as it was accidentally posted before completion.

 

 

Category: Breach IncidentsHackOf Note

Post navigation

← Minneapolis settles more lawsuits over snooping in driver database
UK: £150,000 fine for insurance company that failed to keep customers’ information safe →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Possible ransomware attack disrupts Maine and New Hampshire Covenant Health locations
  • HHS OCR Settles HIPAA Security Rule Investigation of BayCare Health System for $800k and Corrective Action Plan
  • UK: Two NHS trusts hit by cyberattack that exploited Ivanti flaw
  • Update: ALN Medical Management’s Data Breach Total Soars to More than 1.8 Million Patients Affected
  • Russian-linked hackers target UK Defense Ministry while posing as journalists
  • Banks Want SEC to Rescind Cyberattack Disclosure Requirements
  • MathWorks, Creator of MATLAB, Confirms Ransomware Attack
  • Russian hospital programmer gets 14 years for leaking soldier data to Ukraine
  • MSCS board renews contract with PowerSchool while suing them
  • Iranian Man Pleaded Guilty to Role in Robbinhood Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
  • The CCPA emerges as a new legal battleground for web tracking litigation
  • U.S. Spy Agencies Are Getting a One-Stop Shop to Buy Your Most Sensitive Personal Data
  • Period Tracking App Users Win Class Status in Google, Meta Suit
  • AI: the Italian Supervisory Authority fines Luka, the U.S. company behind chatbot “Replika,” 5 Million €
  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.