Skip to Content

Unprotected MongoDB Instances: Half Compromised, Mostly by One Threat Actor

A new Flare report reveals that 45.6% of 3,100 publicly exposed MongoDB instances are compromised, with ransom notes pointing to a single Bitcoin address. Learn the scale, financial impact, and how to secure your databases.
2 February 2026 by
TechStora Editorial Board

Overview

Financially motivated hackers continue to target MongoDB servers that are left open to the internet. A recent investigation by threat‑management firm Flare shows that nearly half of the 3,100 unprotected instances have been compromised.

Scale of Exposure

Flare identified over 200,000 publicly discoverable MongoDB servers, with more than 100,000 exposing operational information. Of these, 3,100 lack proper access controls, allowing anyone to connect without authentication.

Compromise Statistics

• Total exposed instances: 3,100
• Compromised instances: 1,416 (45.6%)
• Clean instances: 1,684 (54.4%)

Compromised servers typically display ransom notes demanding a $500 payment in Bitcoin.

Threat Actor Analysis

In 98% of the compromised cases, the ransom note references the same Bitcoin address, strongly indicating a single threat actor behind the campaign.

Financial Impact

The potential earnings for the attacker range from $0 to $842,000, assuming each ransom note represents a paid demand. To date, the associated Bitcoin wallet has received roughly $400, suggesting limited profitability.

Vulnerabilities and Risks

Flare also found that 95,000 of the identified servers (46.3%) contain at least one vulnerability, many of which could lead to denial‑of‑service (DoS) conditions. The primary risk remains the exposed MongoDB instances without authentication.

Recommendations for Securing MongoDB

  • Enable authentication and enforce strong, unique passwords for all database users.
  • Restrict network access using firewalls or security groups so that only trusted IP ranges can reach the database.
  • Keep MongoDB software up to date with the latest security patches.
  • Implement TLS/SSL encryption for data in transit.
  • Regularly scan for exposed instances using internet‑wide discovery tools and remediate immediately.
  • Monitor logs for suspicious activity and set up alerts for unauthorized access attempts.

Conclusion

The data underscores that a single, organized threat actor can cause widespread disruption across poorly secured MongoDB deployments. Organizations must adopt a defense‑in‑depth approach, combining proper access controls, regular patching, and continuous monitoring to protect their data assets from ransomware and other malicious activities.