Cloud-based database service MongoHQ said it's changing log-in credentials for employees and customers alike after suffering a security breach that allowed attackers to access sensitive customer files and obtain users' e-mail addresses and cryptographically scrambled password data.
The intrusion occurred Monday, when hackers gained access to an internal support application that included a trouble-shooting feature that allows MongoHQ employees to view an account as if they are a specific customer. The support application allowed the intruders to view account information, including lists of databases, e-mail addresses, and passwords that were protected with the bcrypt hashing algorithm, Jason McCay, co-founder of the service, wrote in an advisory published Tuesday afternoon. The attackers also had the ability to view the MongoHQ account database, which includes connection information for customers' MongoDB instances.
"We've conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database," McCay wrote. "We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your DB was accessed by an unauthorized user."