Attackers were able to compromise customers’ personal data by targeting the Accellion FTA server of a third-party vendor.

Morgan Stanley has confirmed a data breach in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server.

The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, the bank said in a letter disclosing the incident. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The data compromised did not include passwords that could be used to access financial accounts.

Morgan Stanley said the compromised files were encrypted; however, attackers were able to obtain the decryption key during the breach.

This makes the bank one of many organizations affected by the vulnerability in the Accellion FTA server, an issue disclosed earlier this year. Following Accellion’s January announcement, several businesses experienced data theft and subsequent extortion attempts.

While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. It says the delay was due to the trouble in determining which files were stored in the Accellion FTA server when it was exposed.


The Kaseya ransomware attack is believed to have been down to an authentication bypass. Yes, ransomware needs to be on your radar — but good authentication practices are also imperative.

Last Friday, just before the extended American Independence Day holiday, it was announced that Kaseya, an American software company, was hacked. The malicious actors were able to distribute ransomware by exploiting several vulnerabilities in Kaseya’s Vector Signal Analysis (VSA) software, which gave the attackers the ability to infect multiple organizations via what is known as a supply chain attack.

From Omdia’s perspective, supply chain cybersecurity is hugely complex, and many organizations have not paid it sufficient attention. Organizations can have hundreds or even thousands of suppliers digitally connected, and the risks are rarely quantified, and even when they are, it is frequently a manual process.

The attack is suspected to be the work of REvil (Ransomware Evil; also known as Sodinokibi), a ransomware gang with relative impunity operating out of Russia, where authorities frequently turn a blind eye to such gangs. REvil has demanded $70 million in Bitcoin in return for a universal decryptor that it claims will unlock the files of all victims. It is believed that REvil used an authentication bypass in the Web interface of Kaseya VSA to gain an authenticated session, upload the original payload, and then execute commands via SQL injection.

The attack highlights growing concern in the cybersecurity world about supply chain attacks; there are hundreds or thousands of potential victims by attacking a single supplier. The number of companies affected by this attack is unclear and will likely increase. For example, security company Huntress, which was one of the earliest sources to detect the attack, estimates “30 MSPs across the US, AUS, EU, and LATAM” have been breached and that over 1,000 organizations have been infected with ransomware as a result. Moreover, as a result of this attack, around 500 Coop stores in Sweden were also forced to shut.

Rest assured, this isn’t the last of the supply chain attacks we will see this year, or perhaps even this month. Recommendations from the USA’s Cybersecurity and Infrastructure Security Agency (CISA) for mitigating this particular attack include getting VSA servers offline, enforce multifactor authentication (MFA) as soon as possible, ensure that backups are in order and stored in air-gapped systems, and that remote monitoring and management tools be limited to communication among known IP address pairs.

Organizations must be less trusting of their supply chains and increase focus on understanding and reducing the associated risks.


The world’s largest meat processing company says it paid the equivalent of $11 million to hackers who broken into its computer system late last month.

Brazil-based JBS SA said on May 31 that it was the victim of a ransomware attack, but Wednesday was the first time the company’s U.S. division confirmed that it had paid the ransom.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, the CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

JBS said the vast majority of its facilities were operational at the time it made the payment, but it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated.

The FBI has attributed the attack as REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months. The FBI said it will work to bring the group to justice and it urged anyone who is the victim of a cyberattack to contact the bureau immediately.

The attack targeted servers supporting JBS’s operations in North America and Australia. Production was disrupted for several days.

Earlier this week, the Justice Department announced it had recovered most of a multimillion-dollar ransom payment made by Colonial Pipeline, the operator of the nation’s largest fuel pipeline.

Colonial paid a ransom of 75 bitcoin–then valued at $4.4 million -in early May to a Russia-based hacker group. The operation to seize cryptocurrency reflected a rare victory in the fight against ransomware as U.S. officials scramble to confront a rapidly accelerating threat targeting critical industries around the world.

It wasn’t immediately clear if JBS also paid its ransom in bitcoin.

JBS said it spends more than $200 million annually on IT and employs more than 850 IT professionals globally.

The company said forensic investigations are still ongoing, but it doesn’t believe any company, customer or employee data was compromised.


In the aftermath of the Colonial Pipeline hack and the increasing damage done by cybercriminals, the U.S. Department of Justice is intensifying investigations into ransomware assaults to the same level of severity as terrorism, according to a senior department official, as Reuters notes.  

Internal instructions provided to U.S. prosecutors across the country on Thursday said that information about ransomware investigations in the field will be coordinated centrally with a newly formed task force in Washington.

John Carlin, principle associate deputy attorney general at the Justice Department stated, “It’s a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain”.

Last month, a cybercriminal organization operating from Russia penetrated the system of pipeline operator East Coast, locked its systems, and demanded a ransom, according to U.S. authorities. The intrusion led to an outage lasting several days, a jump in gasoline prices, panic buying, and localized fuel shortages in the Southeast.

The scenario changed following the attack on the Colonial Pipeline

Colonial Pipeline opted to pay the hackers who broke into its computers about $5 million to restore access, the company said. Colonial is expressly mentioned in the DOJ advisory as an example of the increasing threat that ransomware and digital extortion pose to the nation.

According to US authorities, the decision by Justice Department, to include ransomware in this unique process shows how the issue is prioritized. In effect, this means that investigators in U.S. Attorney’s Offices dealing with ransomware attacks are required to share both current case files and active technical information with officials in Washington. The directive also suggests offices consider and include other investigations that focus on the larger cybercrime ecosystem.

A survey revealed that 48% of organizations don’t have a user verification policy for password resets, which could pave the way for social engineering vulnerabilities among IT help desks.

Despite the rise in identity theft across various sectors globally, some organizations are still not maintaining a robust verification process to secure their employee data. According to a survey from Specops Software, nearly 48% of organizations don’t have a user verification policy in place for incoming calls to IT service desks. The survey, based on the responses from more than 200 security leaders from the private and public sectors in North America and Europe, found that 28% of the companies that are having user verification policies are not satisfied with their current policy due to security and usability issues.

It was also found that most organizations rely on knowledge-based questions like what is employee ID, manager’s name, or HR-based information like what an employee’s date of birth or address is. This data can be easily obtained by cybercriminals.

Despite several self-service password-reset options, most organizations go to the IT help/service desk for resetting passwords. Threat actors often target an unwitting remote workforce with various social engineering attacks by impersonating an IT service desk. Besides, the National Institute of Standards and Technology (NIST) urged organizations to avoid using knowledge-based questions, for which the answers are based on static information pulled from Active Directory or HR systems.

What is a user verification policy?

A user verification or authentication policy is a process to verify a user who is attempting to access services and applications. The verification can be performed via a variety of authentication methods like entering a password, using two-factor authentication (2FA), or multi-factor authentication (MFA) methods. Verifying users helps determine the appropriate access privileges to the users and also minimizes the risk from hacker intrusions. With the spike in digitalization, organizations must ensure that the right users are given access to the critical digital infrastructure.

“Based on our recent findings, password resets at the service desk are a serious vulnerability for organizations of all sizes. In the absence of a self-service password reset solution, it is up to the service desk agent to verify that the caller is the legitimate owner of the account before issuing a new password. Unfortunately, without a secure verification policy in place, service desk agents can provide account access to unauthorized users without even knowing it – exposing businesses to an increased risk of costly cybersecurity breaches,” said Marcus Kaber, CEO of Specops Software.


Computer security is an issue that is not going to go away anytime soon, and any business that ignores cybersecurity does so at its peril. Whether it’s a data breach or the insertion of a piece of ransomware, you want to do everything you can to keep your computer networks safe.

Part of that involves being aware of what’s happening on your network and knowing how to recognize suspicious activity when it happens. By spotting trouble as soon as it appears, you stand a much better chance at saving yourself any number of headaches and costs.

Here are some things to consider when it comes to identifying suspicious network activity.

Identifying Suspicious Activity

Any number of behaviors, including database activities, unusual access patterns, and changes to files for logs, can point toward a cyberattack or data breach. Recognizing these activities for what they are is vital if you want to locate the source and type of attack. Doing so will let you act quickly in stopping the security threat and minimizing any damage.

Here are some common examples of suspicious activity:

  • Account abuse: The sudden overuse of privileged accounts to grant access to new or inactive accounts is a sure sign of an attack from the inside. Either an employee has initiated a run of unusual activity, or a hacker has gained access to a top-tier account. Other signs could include sharing information without cause, modifications applied to audit records, or mysterious deletion of login files.
  • User access: Unexpected user access changes are often a reliable sign that an outside hacker has acquired a user’s credentials and is poking around your system. Behaviors you may notice include user access at odd hours, remote access, and multiple failed attempts to log in.
  • Database activity: Unusual database activity can come from both inside and outside your business. Vital signs to watch include unexpected changes in users, changes in permissions, changes in data content growth, and access during non-business hours.
  • Unexpected network behavior: Network activities that fall outside of usual expectations are a reliable signal that something amiss is happening. Look for traffic originating from outside your network, protocol violations, and unauthorized scans. A sudden change in network performance should also be checked out.
  • Unexpected virus notifications and system slowdowns: Simple warnings to be on the lookout for would be a sudden increase in virus warnings or pop-up windows. If computers or networks slow to a crawl, there could be a problem. A hacker may have gotten in and installed malicious software, or a website or email may have downloaded and installed malware on the sly.
  • Unauthorized port access: Most ports have specific assignments. If unsanctioned port access occurs, it could be a sign that files are being accessed without authorization or that a malware attack is underway.

How Suspicious Activity Can Vary

Depending on the sort of business you’re in, suspicious activity may present itself in different ways. For instance, smaller companies might notice user abuse or abnormal database activities early on as bad actors access personal or cardholder information. A larger business or financial institution may more likely experience dodgy account behavior, unauthorized port access, and malware or spyware designed to steal financial data and personal identity information.

Some organizations find themselves the target of advanced persistent threats (APTs). These multi-phase attacks usually go after an organization’s network and vary in their subtlety as they poke and probe for weak

nesses or backdoor access. APTs often choose to attack government organizations or large corporations but have been known to cause trouble for small and medium-sized businesses as well occasionally.

Dealing With Suspicious Network Activity

As with most security issues, the key to approaching suspicious network activity is prevention. This requires having set protocols and procedures for both you and your employees. An effective data security policy should include:

  • Solid password policies
  • Periodic review of traffic, error reports, network alerts, and performance
  • Malware and virus protection
  • Robust firewalls
  • Regular risk assessments
  • Employee education
  • Incident and failure response strategies
  • File integrity monitoring

Data Security Is Serious Business

Your customers expect you to keep their information safe, and your business’s reputation is on the line. As often as hackers and other bad actors keep finding new ways to target and exploit networks, so too do the strategies and tools for combating these threats evolve. Whether it’s adopting file integrity monitoring, conducting system activity audits, or running simple virus checkers, you can stay ahead. It just takes a bit of vigilance and commitment to your network’s security.

Your business will be stronger for it.


Cognizant, a multibillion-dollar IT services company with clients in the banking and oil and gas industries, said Saturday its computer systems had been disrupted by Maze ransomware, a strain of malicious code that has been used in cyberattacks in the U.S. and Europe in recent months.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident,” the New Jersey-based company said in a statement. “Cognizant has also engaged with the appropriate law enforcement authorities.”

A Fortune 500 company with over a quarter of a million employees worldwide, Cognizant possesses a wealth of data that would make it a target of hackers. Cognizant’s software and consulting services are used by major pharmaceutical firms and restaurant chains, according to its website.

Earlier this week, the company had notified clients of the incident and shared  “indicators of compromise” — forensic data such as IP addresses and malicious files — so that they could defend against the malicious activity.  The attack caused “service disruptions for some of our clients,” the company said.

“The integrity and availability of our systems are of paramount importance to Cognizant and we are working diligently to minimize any disruptions,” a company spokesperson told earlier on Saturday.

One of the malware samples that Cognizant shared with clients is detected by multiple anti-virus products as Maze ransomware. Hackers affiliated with Maze reportedly denied involvement in the attack to Bleeping Computer, but the forensic data suggests that Maze infrastructure was used in the attack. Nearly all of the malicious IP addresses reported by Cognizant have been previously used by hackers to deploy the Maze ransomware, according to advisories from the Department of Homeland Security and the FBI.

The hackers behind Maze gained notoriety last year by stealing sensitive data from victims, encrypting it, and threatening to publish the information if they aren’t paid a ransom, leading the FBI to privately warn U.S. companies about the threat in December. A spate of attacks has continued since then.

The cyberattack on Cognizant is the latest sign that ransomware gangs are not holding off on targeting companies amid the novel coronavirus pandemic.

Reference: CyberScoop

In the past week, Google says it identified more than 18 million daily phishing messages featuring coronavirus themes.

When you block 100 million phishing email messages every day, you get plenty of data to see trends. Google has seen a big one in recent weeks: Nearly one-fifth of all phishing email messages identified on the Gmail platform now feature coronavirus or COVID-19 as part of their content.

According to Google, last week saw roughly 18 million email messages rejected per day because they were identified as phishing messages preying on fears around the coronavirus pandemic. Typical messages used fear or financial incentives to create a sense of urgency in the recipient and claimed to be from authoritative government agencies or credible NGOs.

Phishing messages frequently ask the recipient to download a file containing a form to be filled out (along with, all too frequently, a malware payload) or to visit a malicious website to fill out a form before a government subsidy or other payment can be delivered.

The 18 million COVID-19-related phishing messages were, according to Google, in addition to more than 240 million coronavirus-themed spam messages sent to Gmail accounts every day.

10 Ways to Avoid Phishing Scams

1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization.

2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. When in doubt, go directly to the source rather than clicking a potentially dangerous link.

3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.

4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals. 

5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.

10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.

Recently HTC acknowledged a vulnerability that can expose a user’s WiFi credentials, including the WiFi SSID and security passwords to a malicious app running on some of its Android phones. The vulnerability was discovered by the security architects Chris Hessing and Bret Jordan, and is published on the US-CERT Website also.

The vulnerability is due to an issue in certain Android models that allow an Android application with basic permissions (particularly ‘android.permission.ACCESS_WIFI_STATE’) to access all the stored WiFi credentials, including the respective SSIDs, user names and security passwords, belonging to various WPA/WPA2-PSK/802.1x based Wi-Fi networks. On the top of this, if an application also has internet permission (‘android.permission.INTERNET’), it can transfer the accessed list of WiFi credentials to a remote server.

Exposing the list of WiFi credentials to an unintended party or person without the user’s knowledge can have serious security implications if the former has malicious intent. Some of these include:

Unauthorized access to private WiFi networks: Gaining access to the list of WiFi credentials from a user’s mobile device, the simplest for a hacker to do is to intrude into corresponding private WiFi networks. The private network can be a home, campus or a corporate WiFi network. The intrusion will allow a hacker to carry a host of malicious activities on the network, such as installing malware on the network and scanning the network for confidential information/security vulnerabilities. Many corporates are adopting the BYOD (Bring Your Own Device) initiatives nowadays, giving access to corporate WiFi to the employee’s personal mobile devices. But, since personal devices lack strict corporate controls, vulnerabilities similar to this recently discovered one can be a serious security threat for corporates adopting BYOD schemes. All WiFi networks requiring a security passphrase (in case of WPA/WPA2-PSK security) or a combination of username and password (in case of WPA/WPA2-802.1x) can suffer intrusion by the potential exploitation of discovered vulnerability. In contrast, WiFi networks requiring digital certificates or SIM based authentication (in case of WPA/WPA2-802.1x) are potentially safe to intrusion attacks launched via vulnerability exploitation. 

Eavesdropping/Session hijacking on secured WiFi networks: Loosing the WiFi credentials of a WPA/WPA2-PSK WiFi network can be more damaging compared to WPA/WPA2-802.1x Wi-Fi network, because in the former all the WiFi clients of a particular network share a common security phrase. Therefore, an attacker having gained the SSID and security passphrase through the discovered vulnerability can sniff all the private encrypted WiFi communications happening over the associated WiFi network (using easily available hardware and software) and decode the same afterward or simultaneously using the available credentials. With the decoded traffic that can potentially reveal browser cookies, a hacker can potentially hijack an authorized user’s web session also. WPA/WPA2-PSK networks are popular among home and SOHO users, and therefore user’s online traffic, even though encrypted, is susceptible to eavesdropping and session hijacking when a hacker has gained necessary credentials illegally by exploiting the discovered vulnerability. 

Man-In-the-Middle attack on WiFi users: Loosing the WiFi credentials also enables a hacker to launch man-in-the-middle attack on connected users of affected WiFi network. The attack can potentially hurt the users due to leakage of confidential data or malware implantation. Although WPA/WPA2-PSK networks are more susceptible to man-in-the-middle, but exploiting the Hole196 Vulnerability, one can also do this attack on WPA/WPA2-802.1x networks too.

Potential loss of personal information: People often use WiFi hotspots for broadband access on their devices while they work, travel or visit various public places. And, many WiFi hotspots contain identity of their location in their SSID, therefore loosing the WiFi credentials also, including the SSID details, can potentially reveal a lot of information about a user to third-parties like company name, travelled places, etc. The personal information details can motivate crimes such as stalking. 

Looking at the damages of loosing out the list of WiFi credentials, the vulnerability discovery is very important from user’s security perspective considering the growing usage of Android-based mobile devices and WiFi networks across the world. Moreover, considering the open nature of Android market, malware exploiting the vulnerability can be easily developed and targeted toward the users of affected devices, posing a greater security concern for them. A fix for the vulnerability is already available and HTC has already said that many phones have received the fix through regular updates, but some users may need to manually update their phones. 

Hopefully, acknowledging the list of potential damages of the discovered vulnerability, mobile device users would be a bit more careful while selecting and installing an app on their device.

A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without password.

In a report shared with The Hacker News, Bob Diachenko disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458,388 individuals located in Delhi, including their Aadhaar numbers and voter ID numbers.

Though it’s not clear if the exposed database is linked to the Government of National Capital Territory of Delhi (GNCTD), Diachenko found that the database contains references and email addresses with “” domain for users registered with “senior supervisor,” and “super admin” designations.

Based upon the information available on Transerve Technologies website, it is a Goa-based company that specializes in smart city solutions and advanced data collection technology.

The company’s data collector, precision mapping and location intelligence tool help businesses across various sectors and Governments agencies to utilize Geo-location data to make smart decisions intelligently.

The leaked database contains the following tables:

  • EB Users (14,861 records)
  • Households (102,863 records)
  • Individuals (458,388 records)
  • Registered Users (399 records)
  • Users (2,983 records)

Analyzed by Diachenko, one of the database tables containing registered users includes email addresses, hashed passwords and usernames for administrator access.

delhi database leak
delhi database leak

“The most detailed information contained in ‘Individuals’ collection which was basically a pretty detailed portrait of a person, incl. health conditions, education, etc.,” Diachenko said.

“Households collection contained fields such as ‘name’, ‘house no’, ‘floor number’, ‘geolocation’, area details, ’email_ID’ of a supervisor, ‘is the household cooperating for survey’ field, ‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informan name’ field.”

“It remains unknown just how long database was online and if anyone else accessed it,” Diachenko said.

When Transerve didn’t respond to the responsible disclosure sent via email, Diachenko contacted Indian CERT, which further coordinated with the company to take its exposed database offline immediately.

“The danger of having an exposed MongoDB or similar NoSQL databases is a huge risk. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on thousands of MongoDB servers,” Diachenko said.

“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

This isn’t the first time when MongoDB instances are found exposed to the Internet. In recent years, we have published several reports where unprotected database servers have already exposed billions of records.

None of this is MongoDBs fault, as administrators are always advised to follow the security checklist provided by the MongoDB maintainers.