The attack took down the service Saturday, September 30. In a statement released on Sunday, the company said an automated bot accessed their server, wiped the database, and left a ransom note behind. The database appears to be a PostgreSQL instance.
Company left server exposed online
The attacker’s bot was able to access the database because the company’s engineers left remote connections enabled for the database server from the development phase.
“Due to the hectical and unplanned September migration, we didn’t have everything locked down yet, which led to this situation,” an R6DB spokesperson said. “They left a nice ransom message, but we have no reason to believe that they kept any data. On top of that our backups are useless, since they didn’t work on the Postgres codebase yet.”
R6DB said the attacker only accessed the database, but they decided to wipe and reinstall the entire machine, just to be safe.
Some data is lost for good
Company engineers are working to restore as much of the data as possible, but R6DB expects some information to be lost for good.
Staff says they never stored any personal data on Rainbow Six Siege players, so service users don’t have anything to worry about.
All that was lost is player statistics. Gamers used R6DB exactly for this purpose, to keep track of their evolution across time, and get another perspective on their stats, besides to what the game provides.
“We basically lost all our historical data,” said R6DB. “Some profiles are gone. We can re-index them when searched for, but that’s a step we can’t do ourselves.”
“Progressions (aka historical data, aka charts) are [EXPLETIVE] They’ll fill up again over time, but the past is gone,” R6DB said. “[PC only] aliases are half-[REDACTED]. We still have some older data, but about a months worth of aliases is lost.”
At the time of writing, the R6DB is up and running, but the company is still working on restoring player data. Staff expects to finish the restoration process by Monday.
The New Server has been added and most of the data has been recovered, still the process is going on.
Similar attacks have been taking place for two years
The ransom attack on a PostgreSQL database is one of the first of its kind, but not unique. Hackers have been scanning the Internet for exposed databases, wiping their content, and leaving ransom notes behind in the hopes that victims fall for the trick and pay the ransom without investigating what truly happened to their data.
MongoDB, ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers have been targeted.
The most recent wave of attacks targeted MongoDB, at the start of the month. The company behind MongoDB blamed the attacks on server owners who left their databases open to connections without a password on the admin account.