Attacks/Breaches
10/30/2013
11:42 AM
50%
50%

MongoHQ To Customers: Change Database Passwords

Following security breach, MongoDB hosting firm advises customers to change database passwords as it locks down systems and bolsters security defenses.

After an attacker gained unauthorized access to a MongoHQ support system, the MongoDB hosting service has advised all customers to change their database passwords.

"On October 28, 2013, we detected unauthorized access to an internal support application using a password that was shared with a compromised personal account," read a MongoHQ Security Breach advisory published Tuesday by Jason McCay, the CEO of MongoHQ. "We immediately responded to this event by shutting down our employee support applications and beginning an investigation which quickly isolated the improperly secured account."

In response to the breach, McCay said that every internal MongoHQ system has been locked down, and many remain disabled. The systems are being brought back online only after associated credentials have been reset and a third-party audit verifies both that old credentials no longer work. Going forward, support personnel will have access only to the minimum amount of information necessary to do their job. McCay added that a two-factor authentication system has also been put in place to secure access to all of the company's email and backend systems.

"In handling security incidents, MongoHQ's priorities are to halt the attack, eliminate the control failures that allowed the attack to occur, and to report the incident candidly and accurately to our customers," he said. "As one of the founders of this company and a part of this great team, I hoped to never have to send this notice. ... We are taking all appropriate steps to mitigate this risk and protect you."

[ Syrian Electronic Army targets President Obama's social media accounts. Read Syrian Hackers Attack Obama's Website. ]

MongoHQ is a database-as-a-service provider that was founded in 2011 to provide hosted instances of MongoDB. Meant to echo the word "humongous," MongoDB is a free, open source and cross-platform database system that's designed to be document-oriented. A number of organizations employ the technology, including Craigslist, MetLife, SAP and the European Organization for Nuclear Research, better known as CERN, which employs the database system to collect data from the Large Hadron Collider. (To be clear, none of those organizations have publicly stated that they're MongoHQ customers.)

What risk do MongoHQ's customers now face? McCay said that the support application, which the attacker accessed, includes the ability to "impersonate" a customer -- to browse customers' data and manage their databases -- for troubleshooting purposes. By accessing the support application, McCay said, the attacker could have obtained customer-related account information, including lists of databases, email addresses, and bcrypt-hashed user credentials. Still, the use of bcrypt -- a password-hashing algorithm that's earned plaudits from encryption experts for being tough for would-be password crackers to attack -- is a point in MongoHQ's favor, because it's bought the company time to block any attacks that might result from cracked credentials.

McCay noted, however, that the attacker also appeared to directly access some customers' hosted databases. "We've conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database," he said. MongoHQ is notifying affected customers directly.

Due to the breach, McCay advised all customers to change their database passwords, either through the MongoHQ website user interface or by connecting directly to the database. Changing the access credentials, he noted, will require an update to any applications that connect to your database as well. He also recommended that all customers check their database and MongoHQ account for unused, expired or invalid usernames and eliminate them.

MongoHQ's data breach response may have also affected customers whose MongoDB systems are tied to Amazon Web Services. "As a precaution, we took additional steps on behalf of our customers to invalidate the Amazon Web Services credentials we were storing for you [for the purposes of backups to S3]," said McCay. "While this prevents the abuse of your AWS credentials by any malicious party, it may have resulted in additional unintended consequences for your AWS environment if you were utilizing the same AWS credentials for other purposes. We apologize for any inconvenience, and we have provided a list of impacted AWS credentials to AWS Security."

An Amazon Web Services spokeswoman said via email that the company is offering premium AWS support for MongoHQ users affected by the breach "as a courtesy to our customers."

Of course, no one -- businesses or their customers -- wants to become data breach victims. But what businesses do in the aftermath of a breach can make a world of difference for minimizing any fallout suffered by their customers. So far, MongoHQ's post-intrusion response -- detailing what happened, the steps it's putting in place to prevent a reoccurrence in the future, bringing in outside information security investigators, and proceeding in a rigorous manner to assess systems before bringing them online again, all less than 24 hours after the breach was detected -- appears to stand as a model for how businesses that do suffer a data breach should respond.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
D. Henschen
50%
50%
D. Henschen,
User Rank: Apprentice
10/31/2013 | 2:15:48 PM
re: MongoHQ To Customers: Change Database Passwords
This is an unfortunate incident for MongoDB because it will enable unscrupulous competitors to try to tar the database with the brush of this incident. It's clear it's the hosting provider's security, not inherent database security, that was compromised, but that won't stop detractors from flashing headlines and adding to the FUD.

We've had headlines here on InformationWeek.com including "Does NoSQL Mean No Security?" http://ubm.io/17uWrZK that have raised this issue before, discussing JavaScript injection and JSON injection as the NoSQL equivalent of SQL injection.

NoSQL database vendors have added a lot of security provisions since that 2012 article, but I'm no security expert and would refer you to DarkReading.com for the latest on NoSQL security. I've heard relational incumbents throw security cold water on NoSQL in general, and this incident will just add heat without shedding light on the real question of relative security.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.