MongoHQ Breach Underscores Lack of Strong Password, Network Security

An attacker broke into database service MongoHQ and used an "impersonate" support feature to access a limited number of users' data.

Using the compromised username and password of an administrator, attackers breached the network of database-as-a-service firm MongoHQ, accessing the data of a "limited number" of users, the firm said in a detailed description of the attack published on Oct. 29.

MongoHQ, which provides managed access to instances of that unstructured database software MongoDB, discovered the attack on Oct. 28 and immediately shut down access to internal applications until each team member had reset his or her credentials. The attackers gained access to the company's support application, which in turn gave them access to customers' account information, including databases, email addresses and encrypted user credentials, CEO and co-founder Jason McCay said in a detailed post.

"In handling security incidents, MongoHQ's priorities are to halt the attack, eliminate the control failures that allowed the attack to occur, and to report the incident candidly and accurately to our customers," he said.

An audit of the attackers actions on the system showed that some customers' accounts were accessed using the "impersonate" support feature that allows support personnel to view accounts as if they were the customer. The company has contacted the affected customers, McCay said.

The attackers had gained access using a username and password that had been compromised in a separate breach. Most users memorize a small list of passwords that they use on different sites, even though the reuse of passwords puts linked accounts in danger. To offset the risk in the future, the company has implemented two-factor authentication for internal applications, McCay said.

The company should be commended for the openness of its account of the attack, said Geoff Webb, director of solutions strategy for security-as-a-service provider NetIQ. However, by using only a password for internal account security, MongoHQ left itself open to an outsider gaining elevated privileges inside its network, Webb said.

"If someone is inside, whether they are the employee or someone masquerading as an employee, then I need to find a way to deal with that," he said.

A common way to prevent outsiders from accessing internal resources is to use network segmentation to add another layer of security, according to Chris Hinkley, a senior security architect with FireHost, a secure hosting provider.

"This is a worrying lack of segmentation regarding the administrative applications and other portions of the network, which meant a breach was always in the cards," Hinkley said in a statement. "The support applications should have not been publicly accessible at all and a VPN, preferably with two-factor authentication, should have been in place to prevent damage from compromised passwords."

Scalable databases capable of handling large datasets, such as MongoDB, have become very popular as so-called "big data" analytics have caught on with enterprises. MongoHQ, which offers access to scalable databases in the cloud, has quickly grown and now handles some 6 billion database transactions every day, according to the firm.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...