Cyber Incident Victim: NewsBlur

On June 24, 2021, NewsBlur, a web-based RSS reader, experienced a security incident when a hacker accessed and wiped its MongoDB database, subsequently demanding a ransom for data restoration. The breach occurred during a planned database migration when founder Samuel Clay transitioned the MongoDB cluster to new servers. A firewall misconfiguration allowed the intrusion: Clay had enabled the Uncomplicated Firewall (ufw) with strict allowlist rules but discovered Docker had overridden these settings by inserting an iptables rule that exposed MongoDB’s default port (27017) to the public internet. This vulnerability enabled unrestricted external access to the database. Within three hours of the exposure, an attacker identified the unprotected server, deleted its contents, and left a ransom note. The incident impacted one of NewsBlur’s five database systems but did not affect other components of its infrastructure.

NewsBlur’s staff resolved the incident by restoring data from a backup created prior to the migration attempt, which fortuitously remained available. Clay attributed the rapid attacker access to automated scanning tools targeting exposed MongoDB instances, a known trend since late 2016 where threat actors wipe unprotected databases and demand ransoms typically between $200 and $2,000. While attackers often claimed to possess stolen data backups, historical evidence suggested these were usually empty threats. The restoration process mitigated operational disruptions, and no data loss occurred due to the pre-existing backup. At the time of the incident, internet scans by the Shadowserver Foundation identified approximately 80,000 MongoDB servers accessible online, with over 16,000 lacking password protection, underscoring the prevalence of such exposures despite decreased attack volumes compared to the 2016–2017 peak.