CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

MongoDB Data Extortion Attacks Continue with Low Ransom Demands

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor is targeting exposed MongoDB instances in automated data extortion attacks, demanding low ransoms of approximately $500 in Bitcoin to restore deleted data. The attacker exploits misconfigured databases that allow unrestricted access, with around 1,400 servers compromised. Researchers from Flare discovered over 208,500 exposed MongoDB servers, of which 3,100 could be accessed without authentication. Nearly half of these accessible databases were already compromised, with ransom notes left behind. The attacks are smaller in scale compared to previous waves but continue to target vulnerable instances. The threat actor uses a limited number of Bitcoin wallet addresses, with one address prevalent in about 98% of the cases, suggesting a single actor behind these attacks. Additionally, nearly half of the exposed MongoDB servers run older versions vulnerable to n-day flaws, though most of these flaws only allow denial-of-service attacks. Flare recommends securing MongoDB instances by avoiding public exposure, using strong authentication, enforcing firewall rules, updating to the latest version, and continuously monitoring for unauthorized activity.

Timeline

  1. 01.02.2026 18:27 1 articles · 23h ago

    MongoDB Data Extortion Attacks Continue with Low Ransom Demands

    A threat actor is targeting exposed MongoDB instances in automated data extortion attacks, demanding low ransoms of approximately $500 in Bitcoin to restore deleted data. The attacker exploits misconfigured databases that allow unrestricted access, with around 1,400 servers compromised. Researchers from Flare discovered over 208,500 exposed MongoDB servers, of which 3,100 could be accessed without authentication. Nearly half of these accessible databases were already compromised, with ransom notes left behind. The attacks are smaller in scale compared to previous waves but continue to target vulnerable instances. The threat actor uses a limited number of Bitcoin wallet addresses, with one address prevalent in about 98% of the cases, suggesting a single actor behind these attacks. Additionally, nearly half of the exposed MongoDB servers run older versions vulnerable to n-day flaws, though most of these flaws only allow denial-of-service attacks.

    Show sources
    Open in new tab

Information Snippets