66/69 Tuesday, February 3, 2026
Researchers from cybersecurity firm Flare have released a report on attacks targeting publicly exposed MongoDB databases, where threat actors scan for misconfigured servers that allow unauthenticated access. The investigation identified more than 208,500 MongoDB servers accessible from the internet, with approximately 3,100 instances lacking any form of protection. Nearly half of these unprotected servers were found to have already been attacked, had their data deleted, and ransom notes left behind.
The attack campaign involves low-value extortion, with attackers demanding 0.005 BTC (approximately USD 500–600) within 48 hours in exchange for alleged data recovery. Analysis of cryptocurrency wallet addresses revealed that over 98% of the incidents used the same wallet, indicating the operation is likely carried out by a single threat actor. However, researchers warn that there is no guarantee the data was actually backed up or can be restored after payment, as some cases show attackers simply deleting the databases without retaining any copies.
Beyond access control issues, the report also found that more than 95,000 MongoDB servers are running outdated and vulnerable software versions, many of which are susceptible to Denial-of-Service (DoS) attacks. To mitigate risks, administrators are advised to avoid exposing databases to the public internet unless absolutely necessary, enforce strong authentication mechanisms, configure firewalls to allow only trusted connections, keep software up to date, and avoid blindly applying default configuration guides without proper review. If a system is found to be publicly exposed, administrators should immediately change credentials and review logs for signs of suspicious activity.
