Menu
MongoDB support firm says intruders may have accessed databases

MongoDB support firm says intruders may have accessed databases

MongoHQ said it's conducting an audit and strengthening its security procedures

MongoHQ, which provides hosting and support for the open-source Mongo database, said attackers may have accessed several of its customers' databases earlier this week.

On Monday, someone accessed an internal support application using a password that had been used for a compromised personal account, wrote Jason McCay, MongoHQ's founder.

The support application contains connection information for customer MongoDB instances, along with lists of databases, email addresses and user credentials hashed with bcrypt, a file encryption tool, McCay wrote. An audit showed that several databases may have been accessed via that support application.

"We believe we have exhausted the scope of this compromise and are directly contacting all affected customers," McCay wrote. "We are continuing to evaluate our audit logs and conducting further investigations with the help of third-party experts."

The company invalidated credentials such as IAM (Identity and Access Management) keys it stored for customers using Amazon Web Services (AWS) for backups. MongoHQ has notified AWS of the accounts that may have been affected, and AWS is offering Premium Support for organizations that need new credentials, McCay wrote.

MongoHQ, which has offices in California and Alabama, provides services to let developers create and manage NoSQL Mongo databases for their applications.

Since the breach, MongoHQ said it has reset the login credentials for its employee accounts, including email, network devices and internal applications. Employee-facing support applications have been disabled until two-factor authentication is enabled, VPN connections to those applications are enforced and employee access permissions are reviewed, McCay wrote.

In the meantime, McCay said MongoHQ is modifying its system to encrypt and decrypt data at the application level, which will mitigate possible damage from the same type of intrusion. It has also hired a security consulting firm to do a penetration test of its application stack, McCay wrote.

"Based on their recommendations, we will be hardening our applications to provide more layers of security," he wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags databasesapplicationssecuritydata breachsoftwareMongoHQdata protection

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments