{"id":209705,"date":"2026-02-01T11:27:00","date_gmt":"2026-02-01T16:27:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/01\/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks\/"},"modified":"2026-02-03T18:20:11","modified_gmt":"2026-02-03T23:20:11","slug":"exposed-mongodb-instances-still-targeted-in-data-extortion-attacks","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/01\/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks\/","title":{"rendered":"Exposed MongoDB instances still targeted in data extortion attacks"},"content":{"rendered":"

Exposed MongoDB instances still targeted in data extortion attacks<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks\/<\/a><\/p>\n

Publish Date: 2026-02-01 11:27:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

A threat actor is targeting exposed MongoDB instances in automated data extortion attacks demanding low ransoms from owners to restore the data.<\/p>\n

The attacker focuses on the low-hanging fruit, databases that are insecure due to misconfiguration that permits access without restriction. Around 1,400 exposed servers have been compromised, and the ransom note demanded a ransom of about $500 in Bitcoin.<\/p>\n

Until 2021, a flurry of attacks had occurred, deleting thousands of databases and demanding ransom to restore the information [1, 2]. Sometimes, the attacker just deletes the databases without a financial demand.<\/p>\n

\"Wiz\"<\/p>\n

A pentesting exercise from researchers at cybersecurity company Flare revealed that these attacks continued, only at a smaller scale.<\/p>\n

The researchers discovered more than 208,500 publicly exposed MongoDB servers. Of them, 100,000 expose operational information, and 3,100 could be accessed\u00a0 without authentication.<\/p>\n

\"ShodanShodan search results<\/strong>
Source: Flare<\/p>\n

Almost half (45.6%) of those with unrestricted access had already been compromised when Flare examined them. The database had been wiped, and a ransom note was left.<\/p>\n

An analysis of the ransom notes showed that most of\u00a0them demanded\u00a0a payment of 0.005 BTC within 48 hours.<\/p>\n

\u201cThreat actors demand payment in Bitcoin (often around 0.005 BTC, equivalent today to $500-600 USD) to a specified wallet address, promising to restore the data,\u201d reads the Flare report.<\/p>\n

\u201cHowever, there is no guarantee the attackers have the data, or will provide a working decryption key if paid.\u201d<\/p>\n

\"SampleSample of the ransom note<\/strong>
Source: Flare<\/p>\n

There were only five distinct wallet addresses across the dropped ransom notes, and one of them was prevalent in about 98% of the cases, indicating a single threat actor focusing on these attacks.<\/p>\n

Flare also comments on the remaining exposed instances that didn\u2019t appear to have been hit, even though they were exposed and poorly secured, hypothesizing that those may…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Exposed MongoDB instances still targeted in data extortion attacks https:\/\/www.bleepingcomputer.com\/news\/security\/exposed-mongodb-instances-still-targeted-in-data-extortion-attacks\/ Publish Date: 2026-02-01 11:27:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":209706,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2025\/12\/27\/mongobleed.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,34],"class_list":["post-209705","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209705"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209705"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209705\/revisions"}],"predecessor-version":[{"id":209707,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209705\/revisions\/209707"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209706"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}