Mongobleed Explained Simply

Posted4d agoActive2d ago

todsacerdoti

258 points

140 comments

bigdata.2minutestreaming.comTech DiscussionstoryHigh profile

informativeneutral

Debate

20/100

Data_storageCode VulnerabilitiesOnline Safety

Key topics

Data_storage

Code Vulnerabilities

Online Safety

The MongoBleed vulnerability has sparked a lively debate about MongoDB's security and usage practices. Commenters point out that a staggering 213K MongoDB instances are exposed to the internet, according to a Shodan scan, and that the default installation settings often leave them vulnerable, with authentication disabled and binding to all interfaces. Many users attribute MongoDB's popularity to its flexibility and ease of use, but also to a perceived "laziness" in not having to define a schema or worry about persistence and durability. Interestingly, some commenters note that other databases, like Postgres, have also been exposed publicly without proper security measures, suggesting that the issue is not unique to MongoDB.

Snapshot generated from the HN discussion

Discussion Activity

Very active discussion

First comment

45m

Peak period

0-6h

Avg / period

14.3

Comment distribution114 data points

Loading chart...

Based on 114 loaded comments

Key moments

01Story posted
Dec 28, 2025 at 4:03 PM EST
4d ago
Step 01
02First comment
Dec 28, 2025 at 4:48 PM EST
45m after posting
Step 02
03Peak activity
33 comments in 0-6h
Hottest window of the conversation
Step 03
04Latest activity
Dec 31, 2025 at 2:34 PM EST
2d ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (140 comments)

Showing 114 comments of 140

maxrmk

4d ago

8 replies

How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.

hahahacorn

4d ago

2 replies

A highly cited reason for using mongo is that people would rather not figure out a schema. (N=3/3 for “serious” orgs I know using mongo).

That sort of inclination to push off doing the right thing now to save yourself a headache down the line probably overlaps with “let’s just make the db publicly exposed” instead of doing the work of setting up an internal network to save yourself a headache down the line.

TZubiri

4d ago

3 replies

I would have hoped that there would be no important data in mongoDB.

But now we can at least be rest assured that the important data in mongoDB is just very hard to read with the lack of schemas.

Probably all of that nasty "schema" work and tech debt will finally be done by hackers trying to make use of that information.

saghm

4d ago

3 replies

I'd argue that there's a schema; it's just defined dynamically by the queries themselves. Given how much of the industry seems fine with dynamic typing in languages, it's always been weird to me how diehard people seem to be about this with databases. There have been plenty of legitimate reasons to be skeptical of mongodb over the years (especially in the early days), but this one really isn't any more of a big deal than using Python or JavaScript.

morshu9001

4d ago

3 replies

I've actually seen a ton of statically typed code on top of a "dynamically typed" DB at work, which is the opposite of what I'd do. Types in high-level code are high effort and low return. Schema in DB is so little effort for the strong foundation it sets for your code. Otherwise you end up with 200 separate code locations rechecking that the data is in the expected shape.

matwood

4d ago

The adage I always tell people is that in any successful system, the data will far outlive the code. People throw away front ends and middle layers all the time. This becomes so much harder to do if the schema is defined across a sprawling middle layer like you describe.

cyberpunk

4d ago

We just sit a data persistence service infront of mongo and so we can enforce some controls for everything there if we need them, but quite often we don’t.

It’s probably better to check what you’re working on than blindly assuming this thing you’ve gotten from somewhere is the right shape anyway.

saghm

3d ago

> Ironically some people will do schemaless but use a statically typed lang for regular backend code, which doesn't buy you much. I'd totally do dynamic there.

I honestly feel like the opposite, at least if you're the only consumer of the data. I'd never really go out of my way to use a dynamically typed language, and at that point, I'm already going to be having to do something to get the data into my own language's types, and at that point, it doesn't really make a huge difference to me what format it used to be in. When there are a variety of clients being used though, this logic might not apply though.

TZubiri

4d ago

1 reply

What's weird to me is when dynamic typers don't acknowledge the tradeoff of quality vs upfront work.

I never said mongodb was wrong in that post, I just said it accumulated tech debt.

Let's stop feeling attacked over the negatives of tradeoffs

saghm

2d ago

It's possible you didn't intend it, but your parent comment definitely came off as snarky, so I don't think you should be surprised that people responded in kind. You're honestly doing it again with the "let's stop feeling attacked" bit; whether you mean it or not, your phrasing comes across as pretty patronizing, and overall combined with the apparent dislike of people disagreeing with you after the snark it comes across as passive-aggressive. In general it's not going to go over well if you dish out criticism but can't take it.

In any case, you quite literally said there was a "lack of schemas", and I disagreed with that characterization. I certainly didn't feel attacked by it; I just didn't think it was the most accurate way to view things from a technical perspective.

jeltz

4d ago

1 reply

As someone who has done a lot of Ruby coding I would say using a statically typed database is almost a must when using a dynamically type language. The database enforces the data model and the Ruby code was mostly just glue on top of that data model.

saghm

3d ago

That's fair, I could see an argument for "either the schema or the language needs to enforce schema". It's not obvious to me that one of the two models of "only one of them is" deserves to much more criticism than the other though.

bostik

4d ago

There is a surprising amount of important data in various Mongo instances around the world. Particularly within high finance, with multi-TB setups sprouting up here and there.

I suspect that this is in part due to historical inertia and exposure to SecDB designs.[0] Financial instruments can be hideously complex and they certainly are ever-evolving, so I can imagine a fixed schema for essentially constantly shifting time series universe would be challenging. When financial institutions began to adopt the SecDB model, MongoDB was available as a high-volume, "schemaless" KV store, with a reasonably good scaling story.

Combine that with the relatively incestuous nature of finance (they tend to poach and hire from within their own ranks), the average tenure of an engineer in one organisation being less than 4 years and you have an osmotic process of spreading "this at least works in this type of environment" knowledge. Add the naturally risk-averse nature of finance[ß] and you can see how one successful early adoption will quickly proliferate across the industry.

0: This was discussed at HN back in the day too: https://calpaterson.com/bank-python.html

ß: For an industry that loves to take financial risks - with other people's money of course, they're not stupid - the players in high finance are remarkably risk-averse when it comes to technology choices. Experimentation with something new and unknown carries a potentially unbounded downside with limited, slowly emerging upside.

bigbuppo

4d ago

Whatever horrors there are with mongo, it's still better than the shitshow that is Zope's ZODB.

matwood

4d ago

1 reply

> A highly cited reason for using mongo is that people would rather not figure out a schema.

Which is such a cop out, because there is always a schema. The only questions are whether it is designed, documented, and where it's implemented. Mongo requires some very explicit schema decisions, otherwise performance will quickly degrade.

xnorswap

4d ago

Fowler describes it as Implicit vs Explicit schema, which feels right.

Kleppmann chooses "schema-on-read" vs "schema-on-write" for the same concept, which I find harder to grasp mentally, but describes when schema validation need occur.

petcat

4d ago

6 replies

From my experience, Mongo DB's enture raison d'etre is "laziness".

* Don't worry about a schema.

* Don't worry about persistence or durability.

* Don't worry about reads or writes.

* Don't worry about connectivity.

This is basically the entire philosophy, so it's not surprising at all that users would also not worry about security.

morshu9001

4d ago

1 reply

I'm sure there are publicly exposed MySQLs too

zX41ZdbW

4d ago

There are many more exposed MySQLs than MongoDBs:

https://www.shodan.io/search?query=mongodb https://www.shodan.io/search?query=mysql https://www.shodan.io/search?query=postgresql

But this must be proportional to the overall popularity.

senderista

4d ago

1 reply

To the extent that any of this was ever true, it hasn’t been true for at least a decade. After the WiredTiger acquisition they really got their engineering shit together. You can argue it was several years too late but it did happen.

cyberpunk

4d ago

I got heavily burned pre-wiredtiger and swore to never use it again. Started a new job which uses it and it’s been… Painless, stable and fast with excellent support and good libraries. They did turn it around for sure.

ddtaylor

4d ago

Ultimate webscale!

Thaxll

4d ago

Most of your points are wrong. Maybe only 1- is valid'ish.

aragilar

4d ago

Not only that, but authentication is much harder than it needs to be to set up (and is off by default).

winrid

4d ago

Although interestingly, for all the mongo deployments I managed, the first time I saw a cluster publicly exposed without SSL was postgres :)

bschmidt107979

4d ago

3 replies

Are you guys serious with these takes?

You very often have both NoSQL and SQL at scale.

NoSQL is used for high availability of data at scale - iMessage famously uses it for message threads, EA famously uses it for gaming matchmaking.

What you do is have both SQL and NoSQL. The NoSQL is basically caches of resources for high availability. Imagine you are making a social media app... Yes of course you have a SQL database that stores all the data, but you maintain API caches of posts in NoSQL.

Why? This gets to some of your other black vs white insults: NoSQL is typically WAY FASTER than SQL. That's why you use it. It's way faster to read a JSON file from a hard drive than it is to query a SQL database, always has been. So why not use NoSQL for EVERYTHING? Well, because you have duplicated data everywhere since it's not relational, it's just giant caches essentially. You also will get slow queries when the documents get huge.

Anyway you need both. It's not an either/or thing. I cannot believe this many years later people do not know the purpose of SQL and NoSQL and do not understand that it is not a competition at all. You want both!

Capricorn2481

4d ago

1 reply

What they wrote was pretty benign. They just asked how common it is for Mongo to be exposed. You seem to have taken that as a completely different statement

bschmidt107979

4d ago

1 reply

I mean they said it's rarely used when in fact it's widely used by some of the world's biggest companies at the highest scale the internet knows. The other guy had a harsher comment sure, maybe I should duplicate my reply to them, but who knows what kinds of rules that breaks on this site lmao Happy Christmas & New Year buddy!

Capricorn2481

4d ago

They did not say it's rarely used at all, unless they edited their comment.

ch2026

4d ago

2 replies

Because nobody uses mongo for the reasons you listed. They use redis, dynamo, scylla or any number of enriched KV stores.

Mongo has spent its entire existence pretending to be a SQL database by poorly reinventing everything you get for free in postgres or mysql or cockroach.

yearolinuxdsktp

3d ago

False. Mongo never pretended to be a SQL database. But some dimwits insisted on using it for transactions, for whatever reason, and so it got transactional support, way later in life, and in non-sharded clusters in the initial release. People that know what they are doing have been using MongoDB for reliable horizontally-scalable document storage basically since 3.4.

bschmidt107979

4d ago

Redis and Dynamo are NoSQL genius, and I said NoSQL the entire time.

maxrmk

4d ago

Yeah fair, I was being a bit lazy here when writing my comment. I've used nosql professionally quite a bit, but always set up by others. When working on personal projects I reach for SQL first because I can throw something together and don't need ideal performance. You're absolutely right that they both have their place.

That being said the question was genuine - because I don't keep up with the ecosystem, I don't know it's ever valid practice to have a nosql db exposed to the internet.

acheong08

4d ago

2 replies

My university has one exposed to the internet, and it's still not patched. Everyone is on holiday and I have no idea who to contact.

heavyset_go

4d ago

No one, if you aren't in the administration's good graces and something shitty happens unrelated to you, you've put a target on your back to be suspect #1.

bschmidt107979

4d ago

"Look at me. I'm the DBA now"

-JS devs after "Signing In With Facebook" to MongoDB Atlas

AKA me

Sorry guys, I broke it

notepad0x90

4d ago

often. lots of data leaks happened because of this. people spin it up in a cloud vm and forget it has a public ip all the time.

wood_spirit

4d ago

The article links to a shodan scan reporting 213K exposed instances https://www.shodan.io/search?query=Product%3A%22MongoDB%22

ddtaylor

4d ago

It could be because when you leave an SQL server exposed it often turns into much worse things. For example, without additional configuration, PostgreSQL will default into a configuration that can own the entire host machine. There is probably some obscure feature that allows system process management, uploading a shell script or something else that isn't disabled by default.

The end result is "everyone" kind of knows that if you put a PostgreSQL instance up publicly facing without a password or with a weak/default password, it will be popped in minutes and you'll find out about it because the attackers are lazy and just running crypto-mine malware, etc.

ok123456

4d ago

For a long time, the default install had it binding to all interfaces and with authentication disabled.

whynotmaybe

4d ago

1 reply

I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.

thrwaway55

4d ago

I mean giving everyone footguns and you'll find that is unavoidable forever. Thoughts and prayers to the Mongo devs until we migrate to a language that prevents this error.

kentonv

4d ago

7 replies

A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.

We expected this to hurt performance, but we were unable to measure any impact in practice.

Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.

tombert

4d ago

2 replies

You know, I never even considered doing that but it makes sense; whatever overhead that's incurred by doing that static byte pattern is still almost certainly minuscule compared to the overhead of something like a garbage collector.

ddtaylor

4d ago

1 reply

IMO the tradeoff that is important here is a few microseconds of time sanitizing the memory saves the millions of dollars of headache when memory unsafe languages fail (which happens regularly)

tombert

4d ago

2 replies

I agree. I almost feel like this should be like a flag in `free`. Like if you pass in 1 or something as a second argument (or maybe a `free_safe` function or something), it will automatically `memset` whatever it's freeing with 0's, and then do the normal freeing.

miki123211

4d ago

1 reply

Alternatively, just make free do that by default, adding a fast_and_furious_free which doesn't do it, for the few hotspots where that tiny bit of performance is actually needed.

sitkack

4d ago

The default case should be the safe correct one, even if it “breaks” backward compatibility. Without it, we will forever be saddled with the design mistakes of the past.

yawaramin

4d ago

https://news.ycombinator.com/item?id=46417221

anonymars

4d ago

Non-deterministic latency is a drawback, but garbage collection is not inherently slower than manual memory management/reference counting/etc. Depending on the usage pattern it can be faster. It's a set of trade-offs

dmitrygr

4d ago

2 replies

FYI, at least in C/C++, the compiler is free to throw away assignments to any memory pointed to by a pointer if said pointer is about to be passed to free(), so depending on how you did this, no perf impact could have been because your compiler removed the assignment. This will even affect a call to memset()

see here: https://godbolt.org/z/rMa8MbYox

shakna

4d ago

2 replies

However, if you recast to volatile, the compiler will keep it:

    #include <stdlib.h>
    #include <string.h>

    void free(void* ptr);
    void not_free(void* ptr);


    void test_with_free(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        free(ptr);
    }

    void test_with_other_func(char* ptr) {
        ptr[5] = 6;
        void *(* volatile memset_v)(void *s, int c, size_t n) = memset;
        memset_v(ptr + 2, 3, 4);
        not_free(ptr);
    }

cperciva

4d ago

1 reply

That code is not guaranteed to work. Declaring memset_v as volatile means that the variable has to be read, but does not imply that the function must be called; the compiler is free to compile the function call as "tmp = memset_v; if (tmp != memset) tmp(...)" relying on its knowledge that in the likely case of equality the call can be optimized away.

shakna

4d ago

2 replies

Whilst the C standard doesn't guarantee it, both LLVM and GCC _do_. They have implementation-defined that it will work, so are not free to optimise it away.

[0] https://llvm.org/docs/LangRef.html#llvm-memset-intrinsics

[1] https://gitweb.git.savannah.gnu.org/gitweb/?p=gnulib.git;a=b...

raverbashing

4d ago

1 reply

Yeah the C committee is wrong here

uecker

4d ago

1 reply

I don't see why?

The C committee gave you memset_explicit. But note that there is still no guarantee that information can not leak. This is generally a very hard problem as information can leak in many different ways as it may have been copied by the compiler. Fully memory safe languages (so "Safe Rust" but not necessarily real-word Rust) would offer a bit more protection by default, but then there are still side-channel issues.

raverbashing

4d ago

1 reply

Because, for the 1384th time, they're pretending they can ignore what the programmer explicitly told them to do

Creating memset_explicit won't fix existing code. "Oh but what if maybe" is just cope.

If I do memset then free then that's what I want to do

And the way things go I won't be surprised if they break memset_explicit for some other BS reason and then make you use memset_explicit_you_really_mean_it_this_time

uecker

4d ago

1 reply

Your problem is not the C committee but your lack of understanding how optimizing compilers work. WG14 could, of course, specify that a compiler has do exactly what you tell it do. And in fact, every compiler supports this already: Im most cases even by default! Just do not turn on optimization. But this is not what most people want.

Once you accept that optimizing compilers do, well, optimizations, the question is what should be allowed and what not. Both inlining "memset" and eliminating dead stores are both simply optimizations which people generally want.

raverbashing

4d ago

Nope it is the C committee

> Once you accept that optimizing compilers do, well, optimizations

Why in tarnation it is optimizing out a write to a pointer out before a function that takes said pointer? Imagine it is any other function besides free, see how ridiculous that sounds?

sitkack

4d ago

3 replies

Relying on implementation behavior is the perfect way to introduce a hidden in plain site vulnerability.

112233

3d ago

Most of C++ programs written before P0593R6 depended on implementation behaviour, and were graciously allowed to not be undefined behaviour just 5 years ago. C++ as a language standard is mostly irrelevant, what one should care about is what the compiler authors consider valid code.

CJefferson

3d ago

You have to rely on implementation for anything to do with what happens to memory after it is freed, or really almost anything to do with actual bytes in RAM.

shakna

3d ago

[delayed]

maxlybbert

4d ago

Newer versions of C++ (and C, apparently) have functions so that the cast isn't necessary ( https://en.cppreference.com/w/c/string/byte/memset.html ).

kentonv

4d ago

I patched the free() implementation itself, not the code that calls free().

And obviously, I did test that it actually works.

MuffinFlavored

4d ago

1 reply

> OpenBSD uses 0xdb to fill newly allocated memory and 0xdf to fill memory upon being freed. This helps developers catch "use-before-initialization" (seeing 0xdb) and "use-after-free" (seeing 0xdf) bugs quickly.

Looks like this is the default in OpenBSD.

basilgohar

4d ago

1 reply

I like this. The only information leaking is whether the memory range was previously used. I suppose you may want to control for that. I'd be surprised if OpenBSD didn't provide a flag to just freed memory to the same value as never allocated.

cpach

2d ago

This makes me curious. This bit of information – knowing whether the memory range was previously used – how could it be exploited?

amomchilov

4d ago

1 reply

Recent macOS versions zero out memory on free, which improves the efficacy of memory compression. Apparently it’s a net performance gain in the average case

LoganDark

4d ago

1 reply

I wonder if Apple Silicon has hardware acceleration for memory zeroing... Knowing Apple, I wouldn't be surprised.

chuckadams

4d ago

ARM in general does, or at least some modern variants. Various docs for Android and LLVM suggest it's part of the Memory Tagging Extension.

rectang

4d ago

Zeroing memory should be the default behavior for any generic allocator in 2025.

If you need better performance, write your own allocator optimized for your specific use case — it's not that hard.

Besides, you if you don't need to clear old allocations, there are likely other optimizations you'll be able to find which would never fly in a system allocator.

cperciva

4d ago

Note that many malloc implementations will do this for you given an appropriate environment, e.g. setting MALLOC_CONF to opt.junk=free will do this on FreeBSD.

dfc

4d ago

Is this the same as enabling `init_on_free=1` in the kernel?

plorkyeran

4d ago

1 reply

The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.

enether

4d ago

I was definitely unaware. I suspected something like this may be up when I talked about the zero-review of the apparent PR "I’m not aware of Mongo’s public review practices". This is great to know though. Updating the piece now to mention this and explain the date discrepancy

computerfan494

4d ago

1 reply

The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.

enether

4d ago

thanks! updated

exabrial

4d ago

4 replies

Why is anyone using mongo for literally anything

Aldipower

4d ago

1 reply

This is a nasty ad repositorium datorum argumentation which I cannot tolerate.

exabrial

3d ago

I laughed.

mickael-kerjean

4d ago

1 reply

because it is "web scale"

ref: https://www.youtube.com/watch?v=b2F-DItXtZs

DonHopkins

4d ago

Whenever anyone writes about mongodb or redis I hear it in that voice.

nine_k

4d ago

Easy replication. I suppose it's faster than Postgres's JSONB, too.

I would rather not use it, but I see that there are legitimate cases where MongoDB or DynamoDB is a technically appropriate choice.

gethly

4d ago

Right? When they came out, it was all about NoSQL, which then turned out only mean key-value database, whom are plentiful.

reassess_blind

4d ago

1 reply

Have all Atlas clusters been auto-updated with a fix?

enether

4d ago

yes. apparently before Dec 19 too

netsharc

4d ago

1 reply

> On Dec 24th, MongoDB reported they have no evidence of anybody exploiting the CVE

Absence of evidence is not evidence of absence...

forrestthewoods

4d ago

1 reply

What would you prefer them to say?

perching_aix

4d ago

2 replies

Evidence of no exploitations?

forrestthewoods

4d ago

2 replies

“No evidence of exploitation” is a pretty bog standard report I think? Made on Christmas Eve no less.

Do other CVE reports come with more strong statements? I’m not sure they do. But maybe you can provide some counter examples that meet your bar.

perching_aix

4d ago

It's not really my bar, I just explored this on the behalf of the person you were replying to because I found it interesting.

It is also a pretty standard response indeed. But now that it was highlighted, maybe it does deserve some scrutiny?

dwattttt

4d ago

> "No evidence of exploitation” is a pretty bog standard report

It is standard, yes. The problem with it as a statement is that it's true even if you've collected exactly zero evidence. I can say I don't have evidence of anyone being exploited, and it's definitely true.

saghm

4d ago

I feel like that's an issue not with what they said, but what they did. It would be better for them to have checked this quickly, but it would have been worse for them to have they did when they hadn't. What you're saying isn't wrong, but it's not really an answer to the question you're replying to.

petesergeant

4d ago

2 replies

> In C/C++, this doesn’t happen. When you allocate memory via `malloc()`, you get whatever was previously there.

What would break if the compiler zero'd it first? Do programs rely on malloc() giving them the data that was there before?

mdavid626

4d ago

It takes time to zero out memory.

pelorat

4d ago

That's what calloc() is for

fwip

4d ago

2 replies

"MongoBleed Explained by an LLM"

tuetuopay

4d ago

1 reply

If it is, it's less fluffy and empty than most of LLM prose we're usually fed. It's well explained and has enough details to not be overwhelming.

Honestly, aside from the "<emoji> impact" section that really has an LLM smell (but remember that some people legit do this since it's in the llm training corpus), this more feels like LLM assisted (translated? reworded? grammar-checked?) that pure "explain this" prompt.

enether

4d ago

2 replies

I didn't use AI in writing the post.

I did some research with it, and used it to help create the ASCII art a bit. That's about it.

I was afraid that adding the emoji would trigger someone to think it's AI.

In any case, nowadays I basically always get at least one comment calling me an AI on a post that's relatively popular. I assume it's more a sign of the times than the writing...

tuetuopay

4d ago

Thank you for the clarification! I'm sorry for engaging in the LLM hunt, I don't usually do. Please keep writing, this was a really good breakdown!

In hindsight, I would not even have thought about it if not for the comment I replied to. LLM prose fail to make me read whole paragraphs and I find myself skipping roughly the second half of every paragraph, which was definitely not the case for your article. I did somewhat skip at the emoji heading, not because of LLMs, but because of a saturation of emojis in some contexts that don't really need them.

Again, sorry, don't get discouraged by the LLM witch hunt.

macintux

4d ago

[delayed]

beembeem

4d ago

Though the source article was human written, the public exploit was developed with an LLM.

https://x.com/dez_/status/2004933531450179931

bschmidt107979

4d ago

1 reply

Every time someone posts about NoSQL a thousand "programmers" reveal they have never had to support a lot of traffic lol

jeltz

4d ago

Nah, this time it was just you.

vivzkestrel

4d ago

2 replies

is it true that ubisoft got hacked and 900GB of data from their database was leaked due to mongobleed, i am seeing a lot of posts on social media under the #ubisoft tags today. can someone on HN confirm?

christophilus

4d ago

1 reply

I read that hack was made possible by Ubisoft’s support staff taking bribes.

Maxious

4d ago

1 reply

Details are still emerging, update in the last hour was that at least 5 different hacking groups were in ubisoft's systems and yeah some might have got their via bribes rather than mongodb https://x.com/vxunderground/status/2005483271065387461

sitkack

4d ago

I’ll give you $1000 to run Mongo.

bschmidt107979

4d ago

TLDR: Blame logs not NoSQL.

Almost always when you hear about emails or payment info leaking (or when Twitter stored passwords in plaintext lol) it's from logs. And a lot of times logs are in NoSQL because it is only ever needed in that same JSON format and in a very highly available way (all you Heroku users tailing logs all day, yw) and then almost nobody encrypts phone numbers and emails etc. whenever those end up in logs.

There's basically no security around logs actually. They're just like snapshots of the backend data being sent around and nobody ever cares about it.

Anyway it has nothing to do with the choice to use NoSQL, it has more to do with how neglected security is around it.

Btw in case you are wondering in both the Twitter plaintext password case and in the Rainbow Six Siege data leak you mention were both logs that leaked. NoSQL backed logs sure, but it's more about the data security around logging IMO.

esprehn

4d ago

[delayed]

dwheeler

4d ago

This has many similarities to the Heartbleed vulnerability: it involves trusting lengths from an attacker, leading to unauthorized revelation of data.

ChrisArchitect

4d ago

MongoBleed

https://news.ycombinator.com/item?id=46394620

ldng

4d ago

MongoDB has always sucked... But it's webscale (sic)

Do yourself a favour, use ToroDB instead (or even straight PostgreSQL's JSONB).

26 more comments available on Hacker News

View full discussion on Hacker News

ID: 46414475Type: storyLast synced: 12/31/2025, 9:00:33 PM

Want the full context?