ACCORDING to Flare, over 1,400 unprotected MongoDB databases have been ransacked, with 1,416 of 3,100 exposed instances compromised and their contents replaced by ransom notes. The compromised servers account for 45.6% of the exposed databases, while the remaining 54.4% show no signs of infection, leading Flare to caution that some owners may have paid the ransom.
Ransom notes typically demand a $500 Bitcoin payment, and in 98% of cases the notes reference the same Bitcoin address, suggesting the same threat actor as behind the campaign. Flare estimates potential earnings from the campaign could range from $0 up to as much as $842,000, though the actor’s wallet has currently received around $400. The analysis also found that over 95,000 identified MongoDB servers had at least one vulnerability, with most flaws capable of enabling denial-of-service conditions.
The findings come from SecurityWeek’s coverage of the February 2026 report, noting that thousands of publicly discoverable MongoDB servers remain at risk.