How quickly does an unprotected database get found online? Less than 9 hours

A server rack with its security door unlocked in a data center.
(Image credit: Timofeev Vladimir/Shutterstock)

What happens when a database full of vital personal information is left unprotected on the internet? Potential data thieves find it within hours, says hybrid tech blog/research team/VPN affiliate reseller Comparitech.

On May 12, Comparitech spun up a "honeypot" server containing fake user data and left it without adequate password protection to attract thieves, explained the site's Paul Bischoff in a blog post earlier this week. 

"We wanted to find out how fast data can be compromised if left unsecured," Bischoff wrote.

Over the next 11 days, the honeypot server was accessed 175 times, with the first try coming eight hours and 35 minutes after the server went online. More than three dozen intrusions were made over the next four days. 

The Shodan search engine indexed and listed the server on May 16, and 22 more accesses were made in the following 24 hours.

This research is admittedly self-serving, because Comparitech specializes in finding unprotected databases on the internet. Yet it's never been clear whether that matters, because security researchers can rarely tell if anyone else found an open server before they did or if any data was stolen.

To use a real-world analogy, if you find the front door to your home unlocked, but nothing seems to be missing, then how can you tell if anyone got in? Comparitech's study is like leaving the house door unlocked while setting up a surveillance camera across the street to monitor it.

Attacks or just queries?

Most of the "attackers" -- Comparitech's words, not ours, because accessing an unprotected database is not a crime -- were using IP addresses in the U.S., Romania and China. That doesn't mean they were physically located in those countries.

In fact, most of the "attacks" simply queried the database's status, which is no big deal. But some aimed to "mine cryptocurrency, steal passwords, and destroy data," Bischoff wrote.

The experiment came to an abrupt end May 22, when a real genuine attacker, probably a bot, "deleted the contents of the database and left a message with contact information and request for payment" in Bitcoin.

This wasn't exactly a scientific study. It's just one server in a one-time test that lasted less than two weeks. We don't know how many other honeypots, if any, Comparitech set up before it got the results it wanted. 

A more thorough study would set up many more servers in many different locations at many different locations over a longer period of time, then analyze how many servers get accessed and how frequently. Then we'd have a real idea of just how likely it is for unprotected sensitive data to get stolen.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.