6 votes

NewsBlur Mongo database deleted in ransom attack (and restored)

Posted by skybrian
Tags: security.cyber, newsblur, ransomware, hacking, databases, cyberattacks

NewsBlur was down yesterday evening due to its Mongo database getting attacked by a hacker and held for ransom. It’s restored from backup, but there are privacy implications for anyone who had sensitive private data there. We will likely find out more after the maintainer recovers from a busy night.

There are no good links for this, but it’s being discussed on Hacker News. Since it’s open source, someone described what’s being kept in that database.

(I use NewsBlur, but I don’t think my RSS reading habits are all that sensitive. Others might be in a different situation, though.)

5 comments

  1. [2]
    DataWraith
    Link
    Comments further down the HN thread indicate that it's likely that the data was simply deleted instead of exfiltrated but I can't seem to find the exact comment anymore :/ The scary thing about...

    Comments further down the HN thread indicate that it's likely that the data was simply deleted instead of exfiltrated but I can't seem to find the exact comment anymore :/

    The scary thing about the whole incident is that this is something that could have happened to me. If you setup a firewall, you trust that it keeps other machines from connecting, but apparently Docker can silently bypass the rules that ufw sets up and expose your containers anyway.

    5 votes
    1. skybrian
      Link Parent
      Okay, I changed the headline since we don't know whether it was copied.

      Okay, I changed the headline since we don't know whether it was copied.

      1 vote
  2. [3]
    skybrian
    Link
    Update: How a Docker footgun led to a vandal deleting NewsBlur's MongoDB database:

    Update: How a Docker footgun led to a vandal deleting NewsBlur's MongoDB database:

    I can definitively write that no data was leaked during the hack. I know this because of two different sets of logs showing that the automated attacker only issued deletion commands and did not transfer any data off of the MongoDB server.

    2 votes
    1. [2]
      admicos
      Link Parent
      Oh yeah, Docker doesn't work with UFW. I hit that same issue too and had to resort to not hosting anything not-public. (In my case I was trying to do VPN-only access) Maybe now that someone high...

      Oh yeah, Docker doesn't work with UFW. I hit that same issue too and had to resort to not hosting anything not-public. (In my case I was trying to do VPN-only access)

      Maybe now that someone high profile got hacked, they will fix it.

      Or maybe I'll switch to podman, assuming they don't have this issue...

      3 votes
      1. callmedante
        Link Parent
        I'm really liking Podman as my Docker replacement. I don't build anything, so I have no experience there, but for just about everything else, it's worked a gem. I like the rootless nature of...

        I'm really liking Podman as my Docker replacement. I don't build anything, so I have no experience there, but for just about everything else, it's worked a gem.

        I like the rootless nature of Podman. It may be my ignorance of containers, but I think a rootless container is less of a security threat vector than one running with root privileges. I also like how services can talk to each other locally by setting up a pod, but those same services aren't accessible from the outside unless I open the appropriate ports.

        2 votes