Last week NoSQL Database hosting service MongoHQ suffered a major security breach, affecting its customers and potentially their S3 storage accounts on Amazon Web Services (AWS). MongoHQ co-founder, Jason McKay, said that unauthorized access to an internal, employee-facing support application was spotted on October 28th, 2013. The company immediately shut down the employee support applications and secured the improperly secured account.
According to McKay, the support application was hacked because the employee used the same login credentials that were used on a hacked personal account. Unfortunately, this employee had access to account information, including lists of databases, email addresses, and bcrypt-hashed user credentials. The good news is that MongoHQ denied access to internal applications until a team-wide credential reset and audit was performed, limiting the incident to just that one employee.
"Our support tool includes an 'impersonate' feature that enables MongoHQ employees to access our primary web UI as if they were a logged in customer, for use in troubleshooting customer problems," McKay writes. "This feature was used with a small number of customer web UI accounts. Our primary web UI allows customers to browse data and manage their databases. We are contacting affected customers directly."
McKay said that the unauthorized user was apparently scanning for social media authentication information for spamming purposes, and probing for financial information in customer database. "We have additionally determined that an unauthorized user to our support system would have had some access to our account database, which includes connection info for customer MongoDB instances," he adds.
Last Thursday, McKay updated his open letter reporting that MongoHQ has identified instances of third party access to some customer accounts via the web UI (impersonated accounts). The hackers were able to use the impersonation feature to access the MongoHQ accounts database, and used connection information to access some customer databases directly. Logs indicated that third party access to these databases began on October 27th, 2013.
"We are still notifying customers directly when we find evidence of unauthorized access to their databases or impersonations of their web accounts," he writes. "If you have not heard from us yet, we still recommend being paranoid and taking steps to mitigate potential problems resulting from unauthorized access to your data."
About the Author
Kevin Parrish is a contributing editor and writer for Tom's Hardware, Tom's Games, Tom's Guide and Tom’s IT Pro. He's also a graphic artist, CAD operator and network administrator.
MongoHQ customers are encouraged to change their database password either through the MongoHQ UI or by connecting directly to the database and running "db.addUser('USERNAME', 'PASSWORD')" (without quotes). Customers can also check their database and MongoHQ account for unused, expired, or invalid usernames. They also need to visit the AWS Management Console and regenerate any keys given to MongoHQ.
"Our investigations into this incident are ongoing," McKay writes. "We deeply regret this event and would like to help as you work through it as much as possible. We have reported this access to the FBI Division of Cybercrime in San Francisco, CA, are engaging industry-leading forensic experts and have taken aggressive operational and technical steps to mitigate the effect of the breach and prevent future breaches of this nature."