MongoHQ Security Breach

MongoHQ Security Breach: On October 28, our operations team detected unauthorized access to an internal, employee-facing support application.

We immediately responded to this event, by shutting down our employee support applications and beginning an investigation which quickly isolated the improperly secured account. We have determined that the unauthorized access was enabled by a credential that had been shared with a compromised personal account.

No internal application was made available to our team before a team-wide credential reset and audit.

Users of our support application have access to account information, including lists of databases, email addresses, and bcrypt-hashed user credentials.

Our support tool includes an “impersonate” feature that enables MongoHQ employees to access our primary web UI as if they were a logged in customer, for use in troubleshooting customer problems. This feature was used with a small number of customer web UI accounts. Our primary web UI allows customers to browse data and manage their databases. We are contacting affected customers directly.

We have additionally determined that an unauthorized user to our support system would have had some access to our account database, which includes connection info for customer MongoDB instances.

We’ve conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database. We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your DB was accessed by an unauthorized user.