MongoDB as a service provider MongoHQ detected unauthorized access to an internal support application on Monday, giving attackers access to customer account information, including databases, email address and bcrypt-hashed user credentials.
The support tool includes an “impersonate” feature which employees use to access MongoHQ’s UI as if they were a customer, and this feature was used with a small number of customer web UI accounts. MongoHQ is contacting the affected customers directly as attackers could have accessed their databases through this exploit.
“As one of the founders of this company and a part of this great team, I hoped to never have to send this notice,” Jason McCay wrote in a blog post on Tuesday. “The safety of your data is our top priority. We are taking all appropriate steps to mitigate this risk and protect you. Our team is fully available to help and answer questions and assist during this event.”
MongoHQ has disabled many applications entirely, McCay said, and has enabled two-factor authentication for email and back-office applications.
“We’ve conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database,” he said. “We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your DB was accessed by an unauthorized user.”
According to MongoHQ, it will not re-enable its support system until a third-party is able to validate that its two-factor authentication is functioning and access to applications is provided solely through VPN.
“As a precaution, we took additional steps on behalf of our customers to invalidate the Amazon Web Services credentials we were storing for you (for the purposes of backups to S3),” McCay said. “While this prevents the abuse of your AWS credentials by any malicious party, it may have resulted in additional unintended consequences for your AWS environment if you were utilizing the same AWS credentials for other purposes. We apologize for any inconvenience, and we have provided a list of impacted AWS credentials to AWS Security.”
MongoHQ is working with a third-party security firm to evaluate audit logs and conduct further investigations, but urges customers to change database passwords and check databases and MongoHQ accounts for unused, expired or invalid user names.