MongoHQ Compromised, Have You Checked Your Security Settings?


MongoHQ is a private, Database-as-a-Service platform for securely hosting and managing shared and dedicated MongoDB instances. Buffer app hacked accounts led to compromise MongoHQ application as per MongoHQ initial reporting. All High-tech applications are based on heterogeneous structure where multiple applications have to integrate with each other in controlled fashion. Security is a continuous process; companies have to scrutinize their security parameters.

Incident Snapshot

Incident details shared by MongoHQ team on their blog says: “On October 28, our operations team detected unauthorized access to an internal, employee-facing support application.

“We immediately responded to this event, by shutting down our employee support applications and beginning an investigation which quickly isolated the improperly secured account. We have determined that the unauthorized access was enabled by a credential that had been shared with a compromised personal account.”

MongoHQ team have immediately shutdown the application and started investigation and during there initial investigation they have found that one account was having shared credentials which was already affected by Buffer App hack. Luckily bcrypt was in place to slow down the hack, which caused the brute force attacks to slow down.

Points to Ponder ?

MongoHQ was able to know about hack when some suspicious activity caught an eye. From how long MongoHQ was hacked? How much data have been compromised?  What would be the worth of data that a database hosting company would be hosting? What if hackers having solution to deal with bcrypt solutions?

We are in a rapidly evolving technology cloud, and after revelation of NSA one thing is fair to believe that Zero-days are now commonly underground.

  1. When was the last time you have performed a security assessment?
  2. Are your passwords kept in an encrypted form?
  3. Have you checked the permissions of users?
  4. Are your users passed through social engineering training?