Anatomy of a Breach

Anatomy of a Breach: The MongoDB Ransomware Wave — When Thousands of Databases Were Left Open to the Internet

> series: anatomy_of_a_breach —— part: 097 —— targets: 28,000+_databases —— authentication: none —— skill_required: zero<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2017 12 min read
mongodb ransomware misconfiguration database no-authentication cloud-security series
Breach #097

28,000 databases. No passwords. Deleted and ransomed.

In early January 2017, security researcher Victor Gevers reported that attackers had begun systematically targeting MongoDB databases exposed to the internet without authentication. The attack was simple: connect to an exposed database, delete the data, leave a ransom note in a new collection demanding 0.2 Bitcoin (approximately $200) for the data's return, and move on to the next target. Within weeks, over 28,000 MongoDB instances had been ransomed. The wave quickly expanded to include Elasticsearch, Hadoop, CouchDB, and Cassandra deployments — any database technology that could be deployed without default authentication.

The MongoDB ransomware wave was not a sophisticated attack — it was an automated scan for databases with no passwords, followed by deletion and extortion. Many of the ransomed databases contained production data: customer records, application data, research datasets, and healthcare information. In many cases, the attackers did not actually preserve the data — meaning victims who paid the ransom received nothing in return. The wave demonstrated a new threat paradigm: misconfiguration at internet scale is a vulnerability class as dangerous as any software flaw.

Misconfiguration as Vulnerability
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

No password. No firewall. Connected to the internet.

Default Configuration = No Authentication
MongoDB's default installation did not require authentication — a design decision that prioritised developer convenience over security. Thousands of administrators deployed MongoDB to production servers without enabling authentication, leaving databases accessible to anyone who could reach port 27017. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> checks for unauthenticated database services on every engagement.
Cloud Deployments Amplified the Problem
The rise of cloud computing made it trivially easy to deploy internet-facing database servers without security review or network controls. A developer could spin up a MongoDB instance on AWS, GCP, or Azure in minutes — and if they did not configure authentication or firewall rules, the database was immediately accessible to the entire internet. <a href="/penetration-testing/cloud-configuration-review">Cloud configuration reviews</a> identify these exposures.
Shodan Made Discovery Trivial
Search engines like Shodan index internet-connected devices and services — including unauthenticated databases. Attackers did not need to scan the internet themselves; they could query Shodan for exposed MongoDB instances and receive a list of targets. Our <a href="/vulnerability-scanning">vulnerability scanning</a> includes external exposure assessment.
Many Ransoms Were Scams
Multiple criminal groups attacked the same databases, each overwriting the previous ransom note. In many cases, the attackers had not actually preserved the data — meaning payment would yield nothing. The only reliable recovery was from backups. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates backup procedures — the control that separates recoverable incidents from permanent data loss.
Defence

Configuration is security. Test it.

The MongoDB wave established that misconfiguration is a first-class vulnerability — as exploitable and as damaging as any software flaw. For organisations deploying databases, cloud services, or any internet-facing infrastructure, security configuration must be verified through testing, not assumed through policy. Cyber Essentials mandates secure configuration as a baseline control. Our infrastructure testing and cloud configuration reviews identify exposed services. SOC in a Box monitors for unauthorised access to database services. And UK Cyber Defence provides incident response when misconfigured services are discovered or exploited.

Configuration Security

28,000 databases had no passwords. Do you know what is exposed on your network?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> finds unauthenticated services. <a href="/penetration-testing/cloud-configuration-review">Cloud reviews</a> check your cloud estate. <a href="/cyber-essentials">Cyber Essentials</a> mandates secure configuration.

Commission an Infrastructure Test Next: Cloudbleed
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 January 2020

Anatomy of a Breach: Microsoft — 250 Million Customer Service Records Exposed via Misconfigured Elasticsearch

Breach #133. In January 2020, security researcher Bob Diachenko discovered five Elasticsearch servers belonging to Microsoft that were exposed to the internet without authentication, containing approximately 250 million customer service and support records spanning 14 years. The records included email addresses, IP addresses, support case details, and internal notes marked as 'confidential.' Microsoft confirmed the misconfiguration and secured the servers within 24 hours. The breach demonstrated that even the world's largest technology company is not immune to the database misconfiguration vulnerabilities documented throughout this series.

microsoft elasticsearch
12 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch