MongoHQ Shores Up Its Defenses After Data Breach


MongoHQ scrambled to reset customer passwords and harden access to other accounts this week after discovering that an attacker had gained access to its clients' data as well as some of the customer hosted databases it maintains.

The Mountain View Calif.-based company, which sells a database-as-a-platform service for users of MongoDB NoSQL database management system instances, said the breach exposed email addresses, hashed password data and other customer account information. MongoHQ also reset all Amazon Web Services S3 storage account holder passwords as a security measure and said forensics investigators determined that attackers also had access to several of its clients' databases. The forensics team believes they have contained the attack but continue to pore through logs for other clues, said Jason McCay, co-founder and CEO of MongoHQ in a security notice about the breach.

"We have engaged a security consulting firm to perform a thorough penetration test of our entire application stack. Based on their recommendations, we will be hardening our applications to provide more layers of security," McCay said. "We've conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database."

[Related: Top 10 Password Data Breaches Evoke Urgency For Stronger Credentials]

The data breach, which was detected Oct. 28, stemmed from a lapse in the security controls around the company's internal support application, according to MongoHQ. An employee was using a shared password to use the internal support application with a compromised personal account, the company said. MongoHQ employees use the support tool to gain access to all customer accounts, and it includes an "impersonate" feature to enable technicians to access the primary Web UI as if they were a logged-in customer to troubleshoot customer issues.

Security experts told CRN that businesses often fail to employ strong password management policies and other controls to protect access over critical applications. The company could have used multifactor authentication, hardware tokens or tied the application to Active Directory or LDAP to support single-sign on, said Alex Rothacker, a database security expert and director of security research at Application Security Inc. Third-party applications sometimes make the process of adding security measures more difficult, Rothacker said.

"By enforcing password changes on regular basis, it makes it less likely for people to use the same password outside of work," Rothacker said.

MongoHQ, which was founded in 2011, very likely lacked a strong security program, security experts said. Unless firms are PCI-regulated or need to be HIPAA-compliant, they often rush to market and cut corners, Rothacker said. "Security is often seen as an inconvenience," he said. "More common is that there is just no one in place that really understands how to set and enforce security policies."

Dozens of customer account data breaches have stemmed from poor internal policies and other failures, said Chris Camejo, director of assessment services at Integralis, an NTT Communications Group Company. The LinkedIn breach impacted millions of users and was the result of poor data security measures, experts said. The more recent Drupal data security breach stemmed from a flaw in its third-party support software.

Camejo said poor enforcement of security controls and little visibility into access to business applications is a serious problem at large enterprises. Camejo, who leads a team of penetration testers who conduct thorough assessments on businesses, said that all too often a lapse in basic security measures enable external attackers to gain widespread access to corporate systems.

"You can't keep applying technology or even set policies to address the problem without taking a complete look at what you already have in place," Camejo said. "Account credential theft will continue to be a serious problem for years to come."

PUBLISHED OCT. 31, 2013