MongoHQ scrambles to address major database hack
After users' hashed passwords, e-mail addresses, and other information is exposed in a security breach, the cloud-based hosting service neutralizes the attack and works to prevent future incidents.
Database hosting service MongoHQ suffered a considerable security breach on Monday, in which users' e-mail addresses, hashed password data, and other account information was exposed to hackers.
"We detected unauthorized access to an internal support application using a password that was shared with a compromised personal account," MongoHQ co-founder Jason McCay wrote in a blog post. "In handling security incidents, MongoHQ's priorities are to halt the attack, eliminate the control failures that allowed the attack to occur, and to report the incident candidly and accurately to our customers."
In an effort to secure its networks, MongoHQ has provided users with information on the incident and how it's working to both neutralize the breach and prevent future attacks. First, it locked out every MongoHQ employee account while it is enabling a credential reset and audit. Second, it disabled its employee-facing support applications while it sets up an enforced two-factor authentication, a system of graduated permissions, and other security measures.
"As a precaution, we took additional steps on behalf of our customers to invalidate the Amazon Web Services credentials we were storing for you," McCay wrote. "We have done the work to ensure the security of your data. We have taken further steps to test and validate this work by bringing on a third-party security firm for testing of this effort."
It's unclear how many users were affected in the breach. McCay said that MongoHQ will continue to update its Web site with any new information on the hack, along with recommendations for users to protect their data.