Shared password across accounts results in MongoHQ breach
Upon detecting unauthorized access to an employee's administration application on Monday, California-based database-as-a-service platform MongoHQ discovered it was the victim of a breach that may have compromised information of its employees and customers.
Some of that information includes lists of databases, email addresses and bcrypt-hashed credentials, according to a post by MongoHQ CEO Jason McCay. He added that all affected customers are being notified directly.
The classic no-no of sharing passwords across multiple accounts is what gave the attackers access to the MongoHQ admin application. The password – used for an employee's admin account – was the same one used for a personal account, according to McCay, who said it was discovered that the staffer's personal account had been compromised.
David Campbell, co-founder of cloud server management company JumpCloud, who has years of penetration testing experience, told SCMagazine.com on Wednesday that he believes the personal account was an email, Facebook or Twitter account and that it was likely compromised due to a spear phishing attack.
“It appears MongoHQ had an admin application used by employees to manage accounts and that was available over public internet,” Campbell said. “It's not the best practice, but it's common.”
Campbell added, “The attackers were able to connect the dots. They were able to find the MongoHQ admin interface. If the admin site was protected by a virtual private network (VPN), the attackers would not have found the website so easily. It would be a longer attack. It would require compromising VPN credentials.”
Establishing a VPN is just part of the actions MongoHQ has taken in response to the incident, McCay said, explaining all MongoHQ employee email accounts, network devices and internal applications have been locked pending a reset of credentials and an audit.
Additionally, the admin application will remain down until a third-party security firm validates two-factor authentication, a system of permissions for personnel privileges, and that access to applications, services and tools are provided exclusively through the VPN.
“Every internal database we operate has been re-credentialed; our operating environment is being rigorously audited to ensure that no information available to support users on Oct. 28 is of any use in the future,” according to the McCay post. “We are modifying our system to encrypt/decrypt sensitive data at the application level to mitigate the effect of an unauthorized user accessing our accounts [database].”
The MongoHQ breach led to the compromise of social media sharing service Buffer, which revealed on Oct. 26 that it was the victim of a hack and confirmed the reason in a follow-up post. MongoHQ manages Buffer's database.