19 Million California Voter records held for ransom attack on a MongoDB instance

Pierluigi Paganini December 16, 2017

Voter registration data for more than 19 million California residents stored in an unsecured MongoDB instance has been deleted and held for ransom.

Voter registration data for more than 19 million California residents that was stored in an unsecured MongoDB database has been deleted and held for ransom by attackers.

The incident was discovered by researchers at Kromtech, it is the last of a long string of ransom attacks targeting unsecured MongoDB database.

“In early December Kromtech security researchers discovered an unprotected instance of MongoDB database that appear to have contained voter data. The database named ‘cool_db’ contained two collections and was available for anybody with Internet connection to view and/or edit.

One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records, all open for public access.” reported Kromtech.

According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.” 

The attack sequence is similar to other hacks, the attacker scanned the internet for unsecured MongoDB databases, found this one containing the voter data, wiped the data in the archive and left a ransom request for 0.2 Bitcoin ($3,582 US at the current price).

Kromtech researchers were not able to identify the owner of the database because crooks deleted the content of the archive, they only analyzed stats data as well as a few records sample extracted from the database shortly before it has been wiped out.

MongoDB ransom attack voter database

It is impossible to determine if the attacker made a copy of the data before wiping the MongoDB database or if other hacker groups found and made a copy of the voter registration database before it was deleted.

“It is unclear who exactly compiled the database in question or the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository (“cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.” states Kromtech.

In June, security firm UpGuard found an Amazon S3 bucket containing the details of 198 million US voters.

Once in the hands of crooks, voter data could end up for sale on the Dark Web, in June 2016 a seller using the pseudonym of ‘DataDirect’ offered US voters’ registration records on the darknet marketplace “The Real Deal.”


Back to the case of the California Voter registration archive, Bob Diachenko, head of communications, Kromtech Security Center said:

“This is a massive amount of data and a wake up call for millions citizens of California who have done nothing more than fulfil the civic duty to vote.  This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown.”

If you are curious, like me, give a look at the transactions for the wallet in the ransom note and see if someone has paid 😉

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MongoDB databases, Ransom attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment