Massive attack: Vulnerable MongoDB databases targeted in new wave of ransom attacks

Security shortcomings return to haunt MongoDB as it prepares for $1.6bn IPO

Internet-facing MongoDB databases have been the target in a new wave of ransom attacks by groups taking advantage of known security weaknesses in unpatched iterations of the popular NoSQL database.

That's according to security researchers Dylan Katz and Victor Gevers, who claim that three new groups are behind the hijackings of more than 26,000 MongoDB servers over the past week.

"During those attacks, multiple hacking crews scanned the Internet for MongoDB databases left open for external connections, wiped their content, and replaced it with a ransom demand," according to Bleeping Computer.

"Most of these exposed databases were test systems, but some contained production data and a few companies ended up paying the ransom only to later find out they've been scammed and the attacker never had their data."

The attacks have been tracked via a Google Docs spreadsheet, with more than 45,000 databases in total affected.

The wave of attacks is due to the lack of security by default in out-of-the-box installations of MongoDB, which unlike other databases automatically exposes itself to the internet by default, combined with flaws made by developers when setting up MongoDB databases. It has also suffered from a number of security shortcomings over the years.

MongoDB servers were subjected to a wave of attacks around December last year and at the beginning of the year. Then, MongoDB published advice for users on how to avoid falling victim to the attacks.

The renewed wave of attacks probably won't daunt potential investors in MongoDB - although they should - as the company prepares for an initial public offering (IPO) that would value the company at $1.6bn or more.

The filing was made confidentially in August under a provision of the 2012 JOBS Act, with the intention that the company would go public before the end of the year.