Recent MongoDB ransom attacks

Many of you have likely heard that an estimated 27,000 MongoDB databases have had their data removed and held at ransom by hackers. We have received many questions about the news and wanted to discuss and share MongoDB security best practices to prevent future incidents.

All database deployments hosted at mLab are safe from such attacks.

How could 27,000 databases be held at ransom?

First, it is important to understand the nature of these “breaches”. In a sense these were not breaches at all. All of the databases that were attacked:

  1. Were running without authentication enabled, and
  2. Had their MongoDB ports open to the public internet

This means these databases were configured to accept connections from any client, and to not require that clients authenticate to the database via valid credentials (e.g. username and password).

With this in mind, one can see how such an attack was implemented. Two years ago, one security researcher discovered that 30,000+ MongoDB databases were exposed on the internet running without authentication enabled or firewalls configured.

It is also important to note that there are no known vulnerabilities in MongoDB that would allow for such an attack against databases with authentication enabled.

Are mLab-hosted databases vulnerable to this attack?

No. All mLab databases are configured to require database authentication by clients. Furthermore, on our Dedicated plans, you may firewall your database to only accept connections from IP addresses that you whitelist; this allows you to enforce that only your application infrastructure can connect to your database.

You can read more about how mLab handles security at http://docs.mlab.com/security/. In particular, note that our Dedicated plans allow deployments to be firewalled from the public internet, have SSL enabled, and be housed in private networks (i.e., VPC peering) to limit communication between the application and database.

If you have any questions, please email support@mlab.com for help.

What if I host my own MongoDB?

If you host your own MongoDB deployments, you should make sure that you enable authentication and firewall your database to restrict access from unauthorized IP addresses.

MongoDB has also published a security checklist, which you can follow and implement to protect your MongoDB installation.

Subscribe

Subscribe to our e-mail newsletter to receive updates.