MyBait: Why We Lured Attackers to Encrypt Our Cloud MySQL
Varonis, Friday, June 19th, 2026
Varonis deployed vulnerable MySQL honeypots across clouds and only the GCP instance was compromised, twice.
Varonis Threat Labs ran a security experiment by deploying intentionally misconfigured MySQL instances across GCP, AWS, and Azure to study attacks on exposed databases. The GCP instance, with a weak root password and public access, was compromised twice within hours by different ransomware operators who stole decoy data and left Bitcoin ransom notes.
Identical configurations on AWS and Azure went untouched, suggesting differential targeting. The research identified over 100,000 publicly accessible MySQL instances and provides detection strategies.