This year has seen tens of thousands of MongoDB cyberattacks, resulting in the theft of millions of records. While MongoDB is secure and incorporates appropriate security controls to prevent unauthorized access, many users had failed to apply security controls and inadvertently left their databases exposed and accessible over the Internet.
The exposed databases could be freely accessed by anyone over the Internet without any need for authentication. Earlier this year, hackers took advantage of these common misconfigurations. More than 27,000 companies that used MongoDB had data stolen, their databases were deleted, and they were presented with a ransom demand that had to be paid to regain access to their data.
More than 27,000 MongoDB instances were attacked. Many firms were left with no alternative other than to pay the ransom to recover their data.
While MongoDB had made it quite clear that security controls would need to be applied manually, this was overlooked by many firms. In an effort to prevent future insecure configurations, at the MongoDB user conference yesterday, it was announced that the newest version of the open-source database platform will be secure by default.
The new release – MongoDB 3.6 – will be made available in December this year. Version 3.6 will include new protections to make misconfiguration of MongoDB instances much harder. The update will ensure MongoDB is secure straight out of the box with only localhost enabled by default.
If networking is needed by users, and they require their MongoDB databases to be connected to the Internet, users will be required to switch this on manually. However, in order to secure their databases, they will also need to switch on authentication, otherwise anyone will be able to access their databases.
The new secure default configuration should help to prevent MongoDB cyberattacks similar to those experienced earlier this year.