Online exposed StashApps are getting ransomed

Hello all, I recently got curious about searching for exposed instances of stashapp online. I found many, but also made a scary discovery:

Online exposed stashapp instances are getting ransomed. Some malicious people are getting in, login option is always disabled (found only one that had it enabled, see the stats at the bottom of post), remove all of the content, and post a ransom message.

Here are screenshots:

1. First case (the second found working exposed instance):
   On the first picture, you can see that the whole stash has been emptied. On the second one, you can see the full ransom message, and that, from the url, we can tell the owner had at least 913 scenes removed.
   
   

   Capture d’écran 2025-09-19 à 10.58.321300×1098 39.5 KB
   
   
   

   Capture d’écran 2025-09-19 à 11.00.241320×780 101 KB
2. Second case (the fourth found working exposed instance):
   Here, some scenes are still here, but there also are some ransom messages.
   
   

   Capture d’écran 2025-09-19 à 11.06.241078×1748 142 KB
   
   
   

   Capture d’écran 2025-09-19 à 11.07.183024×1154 336 KB
3. Third case (the seventh found working exposed instance):
   The scene number here was 21, indicating again a loss of data.
   
   

   Capture d’écran 2025-09-19 à 11.09.321190×1806 115 KB
4. Fourth case (the tenth found working exposed instance):
   Here it seems the owner even paid, as the “conversation” shows. The scene with the ransom title is number “2204”, and all the previous were removed.
   
   

   Capture d’écran 2025-09-19 à 11.13.541190×1492 76.4 KB
   
   
   

   Capture d’écran 2025-09-19 à 11.14.263024×1342 451 KB
   
   
   

   Capture d’écran 2025-09-19 à 11.16.401276×976 130 KB
5. Fifth case (the eleven found working exposed instance):
   On this one it seems the instance was already empty.
   
   

   Capture d’écran 2025-09-19 à 11.19.131236×1072 44 KB

Here are the stats of my research:

I think something should be done to reduce that. Warnings in Reverse proxy - Stash-Docs would be a good start, including ransom screenshots to prove the point, and advising on setting a password.

This got me curious. Quick looking. I found what looks like 43 Stash instances on the web (doesn’t look like all load for me especially the ones in China). The one with the Group saying he already paid a while ago seems to be doing a rebuild/restore and is rescanning their library. What’s more horrifying is that IP is also attached to a domain using his full name .com.

Presumably these people must’ve hit the tripwire at some point and have disabled it. Heck my Stash is on a separate private subnet than my Stash instance and I used to hit it before I set-up authentication.

What I find curious is people paying for hosted servers for it and have them on the web list this. I guess you could use Stash as a very interesting Honeypot.

I’ve gotten pretty jaded on this. it’s 2025, and if you’re gonna publish to the internet something wide-open, you kinda get what happens to you.

Mine is behind a reverse proxy and passworded with a single account anyway. I also block Russia, China, and other questionable countries at the router level via the software feature that adds geoblocking. I also have tools monitoring for repeated login attempts and ban them (fail2ban)

It is kinda ‘fun’ to read through the logs, they shrunk quite a bit when I blocked China and Russia.

Stash already has built it tripwire. People who choose to expose their instances has to go out of their way into configuration and flip dangerous_allow_public_without_auth option value from false to true.

They are also linked to Protecting against accidental exposure to the internet once the tripwire is tripped.

Someone brought this up on the discord ages ago, sad to see that someone is taking advantage of it. I still think the best course of action is to remotely lock the instances (setting auth via API) but if they go out of their way to disable tripwire, they kinda have it coming

edit: if you want to do some good, here’s a one-click bricker for their stash https://notes.feederbox.cc/brick-stash/ | source code

Oh no, sad to see how little some people care about their privacy/security.
I changed the password on some myself so they are safe.

edited: It’s funny how some of those instances are faster than my own local one running in a VM.

I guess my setup is pretty secure.. I’m running it behind caddy as a reverse-proxy.. with a single user login with a rather HYUGE password … And I have my porn collection set up through rclone to be read only. Only thing I care about that is modifiable is the database itself.

I’m with the others here.
Leaving your stash available on the internet is risky.
It has been discussed here many times and people want to leave their doors unlocked.

The analogy from olddude is faulty. In his day, people had to come to your unlocked door in person. Today a script runs from anywhere in the world and you are Pwned.

Did I get that expression right?

Who even thinks it is a good idea to make your Stash publicly available without any kind of protection?
I use Cloudflare Zero Trust + the native username and password authentication of Stash. This means I have DDoS protection and to get access to my Stash you need a combination of either of the following:

1. GitHub Passkey + Stash username and password
2. GitHub username and password and OTP + Stash username and password
3. GitHub username and password and Passkey + Stash username and password

So multiple layers of authentication. Should be pretty secure. Cloudflare Zero Trust is awesome and free, you guys should check it out.

Oh, and of course, I make off-site backups of all my stuff.