MongoHQ breached after staffer reused password

Hackers broke into database-as-a-service platform provider MongoHQ by accessing an employee's administration application that was protected by a re-used password.

Some of compromised information includes lists of databases, email addresses and bcrypt-hashed credentials, according to a post by MongoHQ CEO Jason McCay.

He added that all affected customers are being notified directly.

The shared password which gave the attackers access to the MongoHQ admin application was also used for the staffer's personal unnammed account which was also breached.

Veteran penetration tester and JumpCloud co-founder David Campbell said the personal account was likely an email, Facebook or Twitter account compromised by a spear phishing attack.

“It appears MongoHQ had an admin application used by employees to manage accounts and that was available over public internet,” Campbell said. “It's not the best practice, but it's common.”

"The attackers were able to connect the dots. They were able to find the MongoHQ admin interface. If the admin site was protected by a virtual private network (VPN), the attackers would not have found the website so easily. It would be a longer attack. It would require compromising VPN credentials.”

Establishing a VPN is just part of the actions MongoHQ has taken in response to the incident, McCay said, explaining all MongoHQ employee email accounts, network devices and internal applications have been locked pending a reset of credentials and an audit.

Additionally, the admin application will remain down until a third-party security firm validates two-factor authentication, a system of permissions for personnel privileges, and that access to applications, services and tools are provided exclusively through the VPN.

“Every internal database we operate has been re-credentialed; our operating environment is being rigorously audited to ensure that no information available to support users on Oct. 28 is of any use in the future,” according to the McCay post.

“We are modifying our system to encrypt/decrypt sensitive data at the application level to mitigate the effect of an unauthorized user accessing our accounts [database].”

The MongoHQ breach led to the compromise of social media sharing service Buffer, which revealed on Oct. 26 that it was the victim of a hack and confirmed the reason in a follow-up post. MongoHQ manages Buffer's database.

This article originally appeared at scmagazineus.com