Cloud-based database service MongoHQ said it’s changing log-in credentials for employees and customers alike after suffering a security breach that allowed attackers to access sensitive customer files and obtain users’ e-mail addresses and cryptographically scrambled password data.
The intrusion occurred Monday, when hackers gained access to an internal support application that included a troubleshooting feature that allows MongoHQ employees to view an account as if they are a specific customer. The support application allowed the intruders to view account information, including lists of databases, e-mail addresses, and passwords that were protected with the bcrypt hashing algorithm, Jason McCay, co-founder of the service, wrote in an advisory published Tuesday afternoon. The attackers also had the ability to view the MongoHQ account database, which includes connection information for customers’ MongoDB instances.
“We’ve conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database,” McCay wrote. “We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your DB was accessed by an unauthorized user.”
The breach was the result of a “credential that had been shared with a compromised personal account.” Buffer, a service that allows people to schedule updates to Twitter, Facebook, and other social media sites, experienced a hack over the weekend. The method used in the MongoHQ breach was similar to the one used to obtain Buffer users’ access tokens, Buffer CEO and founder Joel Gascoigne wrote in a post Tuesday on Hacker News.
McCay went on to instruct customers to change database passwords, either through the MongoHQ user interface or by connecting directly to the database and issuing the db.addUser(‘USERNAME’, ‘PASSWORD’) command. To prevent further breaches, MongoHQ employees have also invalidated any Amazon Web Services credentials that were stored on the site for purposes of backing up databases to the Amazon S3 service.