MongoDB hosting company MongoHQ has been breached in an attack on its systems, forcing it into lockdown as it works to contact affected customers.
Attackers gained access to MongoHQ's system through an internal employee support application. These applications require valid credentials to use, and MongoHQ determined that these had been shared with a personal account that had been previously compromised.
The application gives authorised users access to account information, lists of databases, customer email addresses, and bcrypt-hashed credentials. It also allows them to access their web interface as though they were the customer themselves.
The company claims that a small number of accounts were affected this way, with attackers able to browse customer databases. It is contacting these customers directly.
MongoHQ detected the unauthorised activity on October 28, and shut down all of its internal support applications. In addition, it began an audit of all of its internal employee accounts.
"Every MongoHQ employee account, including email, network devices, and internal applications, has been locked out, and are being enabled only after a credential reset and audit," the company wrote in its security notice.
It is now implementing two-factor authentication for its internal applications, limiting access via VPN only, and introducing more granular access control. A third party is being engaged to independently verify that these applications are secure before they are returned to service.
"We have engaged a security consulting firm to perform a thorough penetration test of our entire application stack. Based on their recommendations, we will be hardening our applications to provide more layers of security."
Current MongoHQ customers are advised to change their database passwords. Where databases were backed up to Amazon Web Services (AWS), credentials were invalidated to prevent any cascading consequences of an attack. Affected MongoHQ customers have had AWS' Premium Support offering added to their accounts to help with creating new credentials if needed.
Update: One of MongoHQ's affected customers was Buffer, whichearlier this week. By accessing its database, attackers were able to steal API tokens for Twitter and Facebook and post spam on its customers' behalf.
Buffer founder and CEO Joel Gascoigne wrote on his company's blog that although the hole was with MongoHQ, responsibility for the security lapse was still with Buffer.
"If access tokens were encrypted (which they are now), then this would have been avoided. In addition, MongoHQ have provided great insights and have much more logging in place than we have ourselves. We're also increasing logging significantly as a result."
Updated at 11.11am AEDST, October 30, 2013.