Shared password across accounts results in MongoHQ breach: “It appears MongoHQ had an admin application used by employees to manage accounts and that was available over public internet,” Campbell said. “It’s not the best practice, but it’s common.”
Campbell added, “The attackers were able to connect the dots. They were able to find the MongoHQ admin interface. If the admin site was protected by a virtual private network (VPN), the attackers would not have found the website so easily. It would be a longer attack. It would require compromising VPN credentials.”
Establishing a VPN is just part of the actions MongoHQ has taken in response to the incident, McCay said, explaining all MongoHQ employee email accounts, network devices and internal applications have been locked pending a reset of credentials and an audit.
Additionally, the admin application will remain down until a third-party security firm validates two-factor authentication, a system of permissions for personnel privileges, and that access to applications, services and tools are provided exclusively through the VPN.
“Every internal database we operate has been re-credentialed; our operating environment is being rigorously audited to ensure that no information available to support users on Oct. 28 is of any use in the future,” according to the McCay post. “We are modifying our system to encrypt/decrypt sensitive data at the application level to mitigate the effect of an unauthorized user accessing our accounts [database].”