My MySQL database got exposed without authentication. What should I do?
A MySQL server reachable from the internet — with no password, or one an attacker guessed — means anyone can read, alter or wipe your data. Many victims first learn of it from a ransom note left where their tables used to be. Here’s how to shut it down and find out what happened.
First: don’t panic — but get it off the internet immediately.
Open databases are scanned for constantly; bots find one within hours. Your first job isn’t forensics, it’s closing the port. Do that, then assess — and resist deleting anything until you’ve checked your logs and backups.
// the 60-second version
- Block port 3306 at the firewall now and bind MySQL to localhost.
- Repair authentication and rotate every database password.
- Check for a ransom note and confirm what’s intact via backups.
- Review logs for connections — assume exposed data was copied.
01Understand what’s at risk
A MySQL instance listening on 0.0.0.0:3306 with weak or missing auth gives an attacker the same power your application has — and often more:
- Full read access — every row in every table: customer records, password hashes, tokens, business data.
- Write & delete — they can modify or drop tables, plant backdoors, or hold your data to ransom.
- Lateral movement — credentials and connection strings inside your data can open other systems.
- FILE privileges — a powerful account may read server files or write web shells via
INTO OUTFILE.
Open databases are a top ransomware target. Bots copy the data, drop your tables, and leave a single record demanding crypto. Paying rarely returns anything — the copy is gone either way. Your defence is backups, not the attacker’s goodwill.
02Stop the bleeding — take it off the internet
The fix that matters most is making the port unreachable. Firewall it, then bind MySQL to localhost (or a private interface) so it can’t be served publicly at all.
# deny external access to MySQL ufw deny 3306
[mysqld] bind-address = 127.0.0.1 # localhost only
Restart MySQL after editing (systemctl restart mysql). If your app connects from another host, allow only that host’s IP — never the whole internet — and prefer a private network or SSH tunnel.
03Fix authentication and rotate credentials
An exposed server almost always means weak or missing auth. Lock it down:
- Remove anonymous and passwordless accounts — run
mysql_secure_installationand drop any user with an empty password or a%host you don’t need. - Set strong passwords for
rootand every application user, scoped to the host each connects from. - Rotate app credentials everywhere they’re configured (your
.env/ secrets) — they may have been read. - Rotate secrets stored in the data — API keys, tokens or hashes in the tables should be considered leaked.
-- scope the app user to one host + strong password ALTER USER 'app'@'10.0.0.5' IDENTIFIED BY '<strong-new-secret>'; REVOKE ALL ON *.* FROM 'app'@'%'; FLUSH PRIVILEGES;
04Read the logs — who connected?
Find out whether anyone reached in. Check the general/error logs for connections from unfamiliar IPs, and your firewall logs for the exposure window.
# connections (if the general log was enabled) grep -i "Connect" /var/log/mysql/*.log # who is connected right now mysql -e "SHOW PROCESSLIST;"
- Connections from unknown IPs, especially around the time tables changed, mean access — treat all data as copied.
- Unexpected users or grants (
SELECT user,host FROM mysql.user) can be a planted backdoor. - Check the binary logs for
DROP/DELETE/UPDATEyou didn’t run, to scope tampering.
05Recover safely from backups
If data was altered or a ransom note appeared, do not negotiate. Restore from a known-good backup taken before the exposure window.
- Restore to a freshly secured instance — never back onto a box you can’t trust.
- Keep a copy of the tampered state for evidence/analysis before overwriting.
- No backup? Capture the current state and get incident-response help; paying rarely recovers anything.
If the data included personal information, this may trigger breach-notification duties (GDPR and similar). Loop in whoever owns legal/compliance once the fire is out.
06Make sure it can’t happen again
- Never expose a database to the internet. Bind to localhost/private networks; reach it via VPN or SSH tunnel.
- Require strong auth and least-privilege accounts scoped to specific hosts.
- Back up regularly and test restores — tested backups are your ransomware insurance.
- Monitor for connections from new IPs and alert on schema changes.
- Patch MySQL and keep default/sample accounts removed.
Was this guide useful?
These playbooks are free to read and share. If a heads-up ever saved you a bad week, you can say thanks — or jump into the other guides.