Skip to content
English
Visit our website
  • There are no suggestions because the search field is empty.

Exposed Database(s)

Severity: High

Likelihood: High (Common misconfiguration in cloud and internet-facing environments)

General Guidance

Ensure all databases are not publicly accessible by default and enforce strong authentication, encryption, and network restrictions to limit access to trusted sources only.

What is the concern?

Exposed databases occur when systems (e.g., MongoDB, Elasticsearch, SQL, Redis) are left accessible over the internet without proper authentication or network controls. Attackers actively scan for these misconfigurations and can quickly access, modify, or delete sensitive data, often without needing to exploit complex vulnerabilities.

Business Impact

  • Immediate data breach involving customer, financial, or proprietary data

  • Regulatory penalties (GDPR, HIPAA, PCI DSS)

  • Data loss or destruction (including ransom demands)

  • Reputational damage and loss of customer trust

  • Business disruption due to corrupted or unavailable data

  • Competitive disadvantage from exposed intellectual property

How can this risk be resolved?

  • Restrict database access using firewalls, VPCs, and IP allowlists

  • Disable public internet exposure unless absolutely required

  • Enforce strong authentication and role-based access controls

  • Enable encryption at rest and in transit

  • Require all administrative and application access to traverse a secure network boundary (e.g., VPN, bastion host, or zero-trust access solution)

  • Regularly audit configurations using cloud security posture management (CSPM) tools

  • Apply secure configuration baselines and harden default settings

  • Monitor and log all database access and queries

Real-World Example

  • MongoDB Ransom Campaigns (2017–present): Thousands of unsecured MongoDB databases were discovered and wiped by attackers, who replaced the data with ransom notes demanding payment for recovery.

  • Elasticsearch Data Leaks: Numerous organizations (including marketing firms and healthcare providers) have accidentally exposed millions of records due to publicly accessible Elasticsearch instances with no authentication.

  • Verizon/NICE Systems Breach (2017): A misconfigured cloud database exposed sensitive data of millions of Verizon customers, including call records and personal information.

Detection Opportunities

  • Continuous scanning for open database ports (e.g., 27017, 9200, 3306)

  • Alerts on databases with public IP exposure or open security groups

  • Detection of unauthenticated access attempts

  • Monitoring for large or unusual data exfiltration patterns

  • Unexpected database queries or administrative actions

  • Discovery of default credentials or no-auth configurations

  • External attack surface monitoring identifying exposed services