14 DAY TRIAL // John Matherly, Shodan founder, has been reporting on the topic of exposed MongoDB servers for almost two years now, and in a recent investigation carried out after the MacKeeper data breach, he found even more MongoDB instances than ever before.
MongoDB is a new breed of database servers that makes it easier to handle large quantities of data in a faster, less complicated way when compared to classic solutions like MySQL or Oracle.
For this reason, many developers prefer it for their projects, especially in data-heavy applications and online services. What most developers don't know is that older versions of the database came with a default configuration file that listens for connections on all ports, even outside ones.
This allows attackers easy access to carry out brute-force attacks, connect to the database, and steal its content.
The problem of insecure MongoDB servers is an old one
During the past years, many developers have tackled this subject. In February, researchers revealed that about 40,000 MongoDB databases were leaking data in this very same way.
In July, later in the year, Mr. Matherly released a report showing that the number of exposed databases went down to 30,000, but companies were still leaking 600 terabytes of data. In August, another researcher found 1.2 petabytes of data using the same research method, but also discovered that other technologies like Redis, Elasticsearch, and Memcached were also left exposed and easily accessible via Internet connections.
Coming back to this topic, after the recent MacKeeper data breach that was caused by an exposed MongoDB server, Mr. Matherly has updated his original report.
35,000 MongoDB servers leaking 685 TB of data
At this moment, two years after Mr. Matherly sounded the first alarm, there are still 35,000 instances of publicly available and unauthenticated instances of MongoDB, exposing a total of 685 TB of data.
What's extremely surprising is the statistic about MongoDB version numbers. In his research from last July, Mr. Matherly discovered that only MongoDB versions 2.4.14 and prior but also some of the early 2.6.x versions were coming with a default config that left database ports open to outside connections.
In his most recent report, there are over 3,000 servers of MongoDB 3.0.6, over 1,800 servers of MongoDB 3.0.6, and over 1,100 servers of MongoDB 3.0.4 with open ports. What this means is that database administrators purposely changed the default config in those servers, and opened them to outside connections, something that MongoDB's creators don't recommend in their security guidelines.
Adjacent research on this very same topic also revealed that, outside MongoDB, an attacker could also discover over 130,000 Memcached servers and over 42,000 Redis database servers opened to public connections in the same way.