A data breach ofdatabase hosting service MongoHQ gave attackers access to customer account information last week, causing a number of issues for a handful of its customers.
Some services affected by the breach include Buffer (a service that lets one delay social media updates), developer utility CircleCI and calendar app Sunrise (putting some day-book data at risk). And while MongoHQ disabled many applications entirely and beefed-up security, many of these application developers had to take matters into their own hands.
MongoHQ founder and CEO Jason McCay appologized for the data breach in a forthright blog post. He also outlined what customers should do, including – at least very least – changing database passwords and checking databases and MongoHQ accounts for suspicious activity such as unused, expired or invalid usernames.
According to a company blog post, CircleCI first noticed suspicious activity on Oct. 28. It began cycling keys and security credentials as a precaution. A day later, MongoHQ announced it had been compromised, and its database was accessed by one of the IPs responsible for the intrusion dating back to Oct. 27.
To contain any potential risk CircleCI decided to shutdown the CircleCI website and stop all builds, as well as revoke all API tokens and SSH keys that we had access to, and work with upstream vendors to similarly protect users from possible exposure. CircleCI also sent additional notifications and instructions to its users who may have stored SSH keys in CircleCI’s database.
CircleCI founder Paul Biggar stated on the company blog, “Our goals were to protect our customers, to communicate what had happened with them, and only then to recover the CircleCI service after we were certain of the safety of customer code.”
Ducklin said that attackers were able to discover the login details for a user’s personal account, which happened to be the same as their work account, giving them a password to access that MongoHQ account, which was all they needed because there was no two-factor authentication.
Once logged in, Ducklin said, they had access to MongoHQ’s internal support application (which did not require them to log into a secure VPN). This provided access to customer account information such as email addresses and bcrypt-hashed passwords, but insiders could log into customer accounts without necessarily having the decrypted passwords. Also, no Access Control Lists limited what individual users could access.
If anything, this incident can be used as a helpful case study on how to keep a system secure. And this includes dealing only with trusted partners.