MongoDB support firm says intruders may have accessed databases

MongoHQ said it's conducting an audit and strengthening its security procedures

MongoHQ, which provides hosting and support for the open-source Mongo database, said attackers may have accessed several of its customers' databases earlier this week.

On Monday, someone accessed an internal support application using a password that had been used for a compromised personal account, wrote Jason McCay, MongoHQ's founder.

The support application contains connection information for customer MongoDB instances, along with lists of databases, email addresses and user credentials hashed with bcrypt, a file encryption tool, McCay wrote. An audit showed that several databases may have been accessed via that support application.

"We believe we have exhausted the scope of this compromise and are directly contacting all affected customers," McCay wrote. "We are continuing to evaluate our audit logs and conducting further investigations with the help of third-party experts."

The company invalidated credentials such as IAM (Identity and Access Management) keys it stored for customers using Amazon Web Services (AWS) for backups. MongoHQ has notified AWS of the accounts that may have been affected, and AWS is offering Premium Support for organizations that need new credentials, McCay wrote.

MongoHQ, which has offices in California and Alabama, provides services to let developers create and manage NoSQL Mongo databases for their applications.

Since the breach, MongoHQ said it has reset the login credentials for its employee accounts, including email, network devices and internal applications. Employee-facing support applications have been disabled until two-factor authentication is enabled, VPN connections to those applications are enforced and employee access permissions are reviewed, McCay wrote.

In the meantime, McCay said MongoHQ is modifying its system to encrypt and decrypt data at the application level, which will mitigate possible damage from the same type of intrusion. It has also hired a security consulting firm to do a penetration test of its application stack, McCay wrote.

"Based on their recommendations, we will be hardening our applications to provide more layers of security," he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags applicationsdatabasessecuritydata breachMongoHQsoftwaredata protection

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?