Cyber Incident Victim: Princeton University

On January 7, 2017, Princeton University was identified as a victim of a widespread MongoDB ransomware attack campaign affecting over 27,000 entities. Attackers exploited MongoDB databases left publicly accessible on Port 27017 without authentication requirements, enabling unauthorized access to database contents. The attackers deleted Princeton's database contents and replaced them with a ransom note demanding payment of 0.2 Bitcoin (approximately $200 at the time) to a specified cryptocurrency address (1Hhb4rJY7hYFMLwE1j1834zWsNBRWXN9Sv). The note instructed victims to contact [email protected] with their server IP address after payment to potentially recover their data. Security researcher Victor Gevers of the GDI Foundation confirmed the compromise after initial detection by DataBreaches.net, which promptly notified Princeton about the breach on the same day it was discovered.

Princeton University declined to provide any details about the incident when contacted by DataBreaches.net, leaving critical questions unanswered. The university did not disclose whether the compromised database contained sensitive personal information of students, faculty, or staff, nor confirm if the data was merely deleted or also exfiltrated by attackers. It remained unclear whether the affected database was a production system containing unencrypted personally identifiable information or a non-critical system, and whether Princeton or a third-party vendor managed the database at the time of the attack. The lack of transparency prevented assessment of potential impacts on individuals or institutional operations. DataBreaches.net publicly urged Princeton community members to seek direct answers from the university regarding potential exposure of their personal data, noting no further updates were available as of the article's publication date on January 10, 2017.