Hackers are targeting unsecured MongoDB database

Pierluigi Paganini July 03, 2020

A new wave of attacks is targeting unsecured MongoDB database servers and wiping their content attempting to extort a ransom to the victims.

The popular security expert Victor Gevers from the non-profit GDI Foundation reported a new wave of attacks that are targeting unsecured MongoDB database servers exposed online. Threat actors are wiping the content of the databases and are demanding the payment of a ransom, they are threatening to leak the stolen data and report the owners for a violation of the EU privacy regulation GDPR.

Once they gain access to the MongoDB server, attackers wipe the databases and create a new database called “READ_ME_TO_RECOVER_YOUR_DATA.”

The database contains several items named ‘README’ that includes the ransom note.

The ransom note informs the victims that their database has been wiped after the data was backed up by the attackers that are demanding 0.015 BTC ($135.55) to recover them.

"All your data is a backed up. You must pay 0.015 BTC to 13JwJDaU3xdNFfcSySFCy95E2Tko18fiyB 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: restore_base@tuta.io"

Gevers scanned the interned for impacted MongoDB installs, he discovered 15,000 affected database servers using Shodan and more than 23,000 servers using the BinaryEdge search engine.

“When BleepingComputer performed a quick test of searching for MongoDB servers on Shodan, we quickly saw numerous servers being ransomed from this attack,” states BleepingComputer.

This type of extortion practice is not new, in the past crooks carried out numerous campaigns against unsecured MongoDB installs exposed online.

This time, hackers are threatening to report the owners for GDPR violations and force them to pay the ransom, this is a novelty in the threat landscape.

“After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our servers,” the ransom note reads.

Attackers are demanding small ransoms, likely to tricking the victims that it is better to pay to avoid penalties for GDPR violations.

According to Gevers, likely the attackers aren’t backing up the data before wiping them, anyway, he is investigating the cases.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MongoDB)

[adrotate banner=”5″]

[adrotate banner=”13″]

MongoDB

Pierluigi Paganini August 18, 2025

AI for Cybersecurity: Building Trust in Your Workflows

Pierluigi Paganini August 18, 2025