Shared password across accounts results in MongoHQ breach

Share this article:

Upon detecting unauthorized access to an employee's administration application on Monday, California-based database-as-a-service platform MongoHQ discovered it was the victim of a breach that may have compromised information of its employees and customers.

Some of that information includes lists of databases, email addresses and bcrypt-hashed credentials, according to a post by MongoHQ CEO Jason McCay. He added that all affected customers are being notified directly.

The classic no-no of sharing passwords across multiple accounts is what gave the attackers access to the MongoHQ admin application. The password – used for an employee's admin account – was the same one used for a personal account, according to McCay, who said it was discovered that the staffer's personal account had been compromised.

David Campbell, co-founder of cloud server management company JumpCloud, who has years of penetration testing experience, told on Wednesday that he believes the personal account was an email, Facebook or Twitter account and that it was likely compromised due to a spear phishing attack.

“It appears MongoHQ had an admin application used by employees to manage accounts and that was available over public internet,” Campbell said. “It's not the best practice, but it's common.”

Campbell added, “The attackers were able to connect the dots. They were able to find the MongoHQ admin interface. If the admin site was protected by a virtual private network (VPN), the attackers would not have found the website so easily. It would be a longer attack. It would require compromising VPN credentials.”

Establishing a VPN is just part of the actions MongoHQ has taken in response to the incident, McCay said, explaining all MongoHQ employee email accounts, network devices and internal applications have been locked pending a reset of credentials and an audit.

Additionally, the admin application will remain down until a third-party security firm validates two-factor authentication, a system of permissions for personnel privileges, and that access to applications, services and tools are provided exclusively through the VPN.

“Every internal database we operate has been re-credentialed; our operating environment is being rigorously audited to ensure that no information available to support users on Oct. 28 is of any use in the future,” according to the McCay post. “We are modifying our system to encrypt/decrypt sensitive data at the application level to mitigate the effect of an unauthorized user accessing our accounts [database].”

The MongoHQ breach led to the compromise of social media sharing service Buffer, which revealed on Oct. 26 that it was the victim of a hack and confirmed the reason in a follow-up post. MongoHQ manages Buffer's database.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.