Threat actors are automatically compromising exposed MongoDB instances and leaving ransom notes demanding roughly 0.005 BTC (about $500) to restore data. Flare researchers discovered over 208,500 publicly exposed MongoDB servers — 3,100 without authentication — and found nearly half of those had already been wiped and left with ransom notes. #MongoDB #Flare
Keypoints
- Attackers target misconfigured, publicly exposed MongoDB instances with automated data-extortion.
- About 1,400 servers were compromised and ransom notes demanded ~0.005 BTC (≈$500).
- Flare found over 208,500 exposed MongoDB servers, with 3,100 accessible without authentication.
- Most ransom notes point to a single threat actor using a small set of Bitcoin wallet addresses.
- Administrators should avoid public exposure, enforce strong authentication and network controls, update MongoDB, rotate credentials, and review logs if exposed.