MySQL Exposure on the Internet: A Global Snapshot from Shodan Data
March 04, 2026
MySQL is one of the most widely used database engines in the world. It powers web applications, SaaS platforms, internal systems, APIs, analytics stacks, and embedded products.
Unlike RDP, MySQL is not designed to be internet-facing by default. It is intended to sit behind an application layer or inside a trusted network segment. Yet Shodan visibility shows over two million publicly reachable MySQL services.
This is not a vulnerability scan. It is a visibility snapshot of what is responding on port 3306.
Methodology
Query used:
MySQL exposure on port 3306 responding.
This dataset is based entirely on Shodan indexed results at the time of collection.
Important note: Not every service on port 3306 is guaranteed to be MySQL. Some systems may run alternative database engines, proxies, or custom services on that port. However, the overwhelming majority of responses fingerprint as MySQL or MySQL compatible variants.
Total Global MySQL Exposure
Total exposed MySQL services: 2,053,167
That makes MySQL one of the most widely exposed infrastructure services visible on the public internet.
| Country | Instances |
|---|---|
| China (CN) | 671,738 |
| United States (US) | 572,770 |
| Hong Kong (HK) | 168,675 |
| Germany (DE) | 84,761 |
| Japan (JP) | 53,899 |
| Singapore (SG) | 44,610 |
| Netherlands (NL) | 38,428 |
| France (FR) | 33,543 |
| South Korea (KR) | 31,923 |
| Russia (RU) | 29,238 |
| United Kingdom (GB) | 27,226 |
| India (IN) | 26,211 |
| Brazil (BR) | 24,438 |
| Canada (CA) | 24,340 |
Germany is the highest in the EU, followed by the Netherlands and France. Exposure correlates strongly with infrastructure size and hosting density. But scale does not eliminate risk.
MySQL Exposure Across the EU-27
Focusing specifically on the 27 European Union member states, we identified:
Total exposed MySQL services: 233,262
That is nearly a quarter of a million publicly reachable database servers across the EU alone.
| Country | Instances |
|---|---|
| Germany | 84,761 |
| Netherlands | 38,430 |
| France | 33,543 |
| Italy | 9,787 |
| Poland | 9,257 |
| Spain | 8,531 |
| Finland | 8,030 |
| Romania | 6,301 |
| Sweden | 4,437 |
| Belgium | 4,057 |
| Hungary | 3,618 |
| Czechia | 3,530 |
| Bulgaria | 2,858 |
| Portugal | 2,627 |
| Denmark | 2,349 |
| Ireland | 2,150 |
| Estonia | 1,863 |
| Austria | 1,544 |
| Lithuania | 1,458 |
| Greece | 982 |
| Latvia | 801 |
| Slovakia | 770 |
| Luxembourg | 632 |
| Slovenia | 405 |
| Croatia | 347 |
| Cyprus | 136 |
| Malta | 58 |
Germany alone represents more than one third of all EU MySQL exposure. The Netherlands and France follow, which is consistent with their strong hosting and cloud infrastructure presence.
Raw numbers alone do not indicate weaker security. Larger digital economies naturally host more services. What matters more is version distribution and configuration quality.
Version Distribution in the EU
Looking at version fingerprints across the EU dataset, we see a mix of modern and legacy builds.
| Version | Instances |
|---|---|
| 8.0.45-0ubuntu0.24.04.1 | 16,786 |
| 8.0.45-0ubuntu0.22.04.1 | 7,865 |
| 8.0.36-28 | 4,802 |
| 8.0.42-0ubuntu0.20.04.1 | 3,847 |
| 5.7.44 | 2,829 |
| 8.0.42-azure | 2,535 |
| 5.7.33-0ubuntu0.16.04.1 | 2,503 |
| 8.0.45 | 2,401 |
| 8.0.44 | 2,377 |
| 5.1.73 | 2,238 |
Encouragingly, MySQL 8.0 variants dominate the top of the list. However, there is still a substantial presence of legacy versions.
Version Distribution Overview (Global)
One of the most important signals in exposed database services is version diversity. The dataset includes a wide range of versions, including a long tail of legacy versions still running.
| Version | Instances |
|---|---|
| 5.7.44-log | 132,946 |
| 5.7.23-23 | 67,049 |
| 8.0.36 | 55,776 |
| 8.0.45 Ubuntu builds | 46,000+ |
| 5.6.50-log | 24,947 |
| 5.6.51 | 17,414 |
| 5.5.x variants | 15,000+ |
| 5.1.73 | 12,030 |
| 5.0.x variants | Thousands |
| 4.x variants | Hundreds |
MySQL 5.5 and 5.6 are end of life. MySQL 5.1 and 5.0 are ancient. MySQL 4.x appearing on the internet in 2026 is a major red flag. When a database is both publicly exposed and running unsupported software, risk multiplies.
Is Public MySQL Exposure a Security Problem?
In most architectures, yes. A database server should not be directly reachable from the public internet.
Databases are meant to sit behind:
- Application servers
- API gateways
- Reverse proxies
- Private networks
- VPN tunnels
When MySQL is exposed directly on port 3306, it presents:
- Direct authentication surface
- Brute force opportunity
- User enumeration potential
- Version fingerprinting
- Exploit targeting
Even if authentication is required, exposure alone increases attack surface. From a pentester perspective, internet exposed MySQL immediately becomes an assessment focus.
From a Pentester Perspective
If we can reach a MySQL service directly from the internet, we evaluate:
- Does it allow remote root login?
- Are weak passwords accepted?
- Is there no connection throttling?
- Is there no account lockout?
- Is TLS disabled?
- Is it running an end of life version?
If brute force is possible without throttling or lockout, this is typically classified as High severity. If weak credentials are found or anonymous access exists, it becomes Critical.
Exposure combined with outdated versions does not decrease risk. It compounds it. Databases often contain user data, credentials, API keys, and financial records. Compromise impact can be extreme.
Important Context and Limitations
This analysis is based entirely on Shodan visibility. Shodan does not represent a complete census of all exposed MySQL services. Some hosts may block scanners, be behind rate limiting, or use non standard configurations.
Additionally, not every service on port 3306 is guaranteed to be MySQL, and some instances may be honeypots. However, the data clearly shows that exposure dramatically increases attack surface.
MySQL Hardening Checklist
1. Restrict Network Access
- Bind MySQL to localhost whenever possible
- Use firewall allowlisting
- Allow inbound 3306 only from specific application IP addresses
- Never allow 0.0.0.0 access unless absolutely required
2. Disable Remote Root Access
- Remove remote root login
- Use dedicated application accounts
- Limit privileges per account
3. Enforce Strong Authentication
- Long, unique passwords
- No shared credentials
- No default accounts
4. Require TLS
- Enforce encrypted client connections
- Disable insecure transport
- Validate certificates
5. Implement Brute Force Controls
- Enable connection rate limiting
- Monitor failed login attempts
- Alert on repeated authentication failures
6. Patch Aggressively
- Upgrade to supported versions
- Remove end of life versions (5.5, 5.6, etc.)
- Track CVEs affecting your version
7. Monitor and Log
- Log failed authentication attempts
- Monitor unusual query behavior
- Alert on privilege changes
Part of the EU Exposure Series
Explore our other research on protocol exposure across the 27 EU member states:
Final Thoughts
Over 2 million exposed MySQL services worldwide is not a small number. Unlike FTP or RDP, MySQL often holds the core data of an organization. When databases are directly reachable from the internet, especially on outdated versions, risk escalates quickly.
Exposure alone does not equal compromise. But exposure combined with weak authentication, poor segmentation, or end of life software creates one of the highest impact attack surfaces in modern infrastructure.