2026.01.16 - Hacked


Post Mortem

On Thursday at 10 PM GMT we got hacked. Here's what happened.

No action needed

There is no action needed on your end, but you should know what was stolen.

Based on data provided during your purchase of a Ragdoll licence:

  • Your full name
  • Your address
  • Your email
  • Your amount paid
  • Your serial number(s)
  • Your licence type, e.g. "unlimited" or "freelancer"

No card details or bank details were involved, those are not stored on our servers and are entirely hosted and safeguarded by our payment processor Stripe.

New Serial

In the unlikely event that someone actually gets hold of and uses the stolen data, they would be able to activate a machine using your serial. They would not be able to deactivate a licence.

If you notice anything odd, reach out and we'll send you a replacement serial.


On Thursday afternoon, at 10:53 AM, we received a notification of possible abuse from Hetzner, our cloud server provider.

Dear Mr Marcus Ottosson, We have received a notification from the German Federal Office for Information Security (BSI)

...

In turn, this is the notification they got.

Dear Sir or Madam,

MongoDB is a popular NoSQL database system commonly used as a backend for web applications.

A critical vulnerability (CVE-2025-14847) in MongoDB can be exploited by remote attackers to read system memory areas without authentication and this way obtain sensitive information such as personal data, passwords or cryptographic keys.

The vendor released MongoDB versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32 and 4.4.30 fixing this vulnerability.

All previous versions are vulnerable and should be updated immediately.

We were using Mongo 4.4.6. Upon receiving this, we updated to the suggested 4.4.30, but it was too late.

Later that night, they attacked and deleted our database containing emails and serial numbers for all customers, leaving this message at 10:00 PM.

All your data is backed up. You must pay 0.0048 BTC to ... In 48 hours, your data will be publicly disclosed and deleted. (more information: go to http://...) After paying send mail to us: ...@....org and we will provide a link for you to download your data. Your DBCODE is: ...

Here's a brief timeline of events from discovery to final transition.

  • At 07:35 AM, the message and breach was discovered and a transition to a new server began.
  • At 09:50 the hole was plugged, alongside access to https://my.ragdolldynamics.com which depends on the missing data.
  • At 15:35 the transition was complete, data restored and access to all websites restored.

The new server now has:

  1. An up-to-date Mongo, 8.2
  2. An up-to-date OS, Rocky Linux 10
  3. Mongo that is not exposed to the internet
  4. Automated security updates

(3) is what will ensure this cannot happen again, (4) will help ensure something similar is unlikely to happen.

Next steps over the next few days is to further reduce data kept on our servers, such as address and payment details, and leave those to Stripe who do a better job at keeping this data safe.

With Mongo now completely cut off from the internet, there is no chance of this particular hack happening again, but not having any data to begin with is surely the most secure route forwards.