Cyber Criminal Targets MongoDB & Threatens to Report GDPR Breaches

A cybercriminal has been busy targeting unsecured MongoDB databases and threatening to report their vulnerability to data protection authorities, a move that could possibly result in a General Data Protection Regulation penalty being sanctioned.

23,000 MongoDB databases, which have been left exposed online without passwords, have had ransom notes uploaded to them and a $140 ransom demanded as payment for not reporting the breach to local GDPR authorities.

The hacker is employing an automated script to search for improperly configured MongoDB databases, once he finds them he clears the content from them and requests a ransom of either 0.015 bitcoin or around $140 be paid. He also threatened to report the breach to the local GDPR authorities within two days if they refused to pay up in two days.

Security expert at the Dutch Institute for Vulnerability Disclosure Victor Gevers discovered the attacks first during April. Gevers pointed out that the first few attacks lacked the data-wiping feature. Once the hacker realized the mistake in the script, it was addressed amended it and began wiping the MongoDB databases.

The collection uploaded to the MongoDB database is titled ‘README’ and includes a ransom note saying that the data that was previously held there has been “backed up” and the ransom must be paid to release it.

It goes on to say: “After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server!”

The cybercriminal, who remains unknown, even went as far as provide a guide on how to purchase bitcoins. At this point in time it appears that he is using multiple bitcoin wallets and email addresses, but the wording of the threat remains consistent.