MongoHQ Breach Underscores Lack of Strong Password, Network Security
An attacker broke into database service MongoHQ and used an "impersonate" support feature to access a limited number of users' data.Using the compromised username and password of an administrator, attackers breached the network of database-as-a-service firm MongoHQ, accessing the data of a "limited number" of users, the firm said in a detailed description of the attack published on Oct. 29. MongoHQ, which provides managed access to instances of that unstructured database software MongoDB, discovered the attack on Oct. 28 and immediately shut down access to internal applications until each team member had reset his or her credentials. The attackers gained access to the company's support application, which in turn gave them access to customers' account information, including databases, email addresses and encrypted user credentials, CEO and co-founder Jason McCay said in a detailed post. "In handling security incidents, MongoHQ's priorities are to halt the attack, eliminate the control failures that allowed the attack to occur, and to report the incident candidly and accurately to our customers," he said. An audit of the attackers actions on the system showed that some customers' accounts were accessed using the "impersonate" support feature that allows support personnel to view accounts as if they were the customer. The company has contacted the affected customers, McCay said.
The attackers had gained access using a username and password that had been compromised in a separate breach. Most users memorize a small list of passwords that they use on different sites, even though the reuse of passwords puts linked accounts in danger. To offset the risk in the future, the company has implemented two-factor authentication for internal applications, McCay said.