The MongoDB Security Incident: What’s Known

During December 2023, a new data breach – a MongoDB security incident – emerged.

What Happened?

According to HackRead, MongoDB’s CISO confirmed that MongoDB has suffered a data breach. According to some, unauthorized access to the servers of MongoDB might have been undetected for quite a while. However, it seems like in December 2023, MongoDB eventually caught on.

Once the MongoDB security incident was verified, MongoDB immediately sprung into action. After investigating the incident, MongoDB team has identified that the incident has led to an investigation that determined that the nefarious party, whoever he or she might have been, never accessed sensitive data in MongoDB clusters and never accessed MongoDB Atlas itself.

However, according to MongoDB team, the team determined that during the first half of October 2023, an unauthorized party acquired SSO credentials by phishing and accessed systems using a One-Time-Password and SSO credentials.

The good thing is that MongoDB systems were protected by standard session expiration procedures effectively kicking the attacker out after 24 hours. That’s a good line of defense, but as MongoDB states, that didn’t seem to stop the attacker in its tracks – an attacker came knocking on MongoDB’s doors again during mid-December 2023, and, using unauthorized access to a corporate application enabling to send messages, sent a couple of phishing messages to employees of MongoDB, thus regaining access.

The access wasn’t sustained for long since MongoDB has identified these messages and immediately alerted the security team which activated its incident response plan. According to MongoDB themselves, the security team took the following steps to contain this MongoDB security incident and prevent such occurences in the future:

• Reset user passwords to ensure that users affected by this MongoDB security incident won’t fall victim to identity theft attacks.
• Disabled the functionality in the application affected by the security vulnerability thus no longer allowing an attacker to retain access to MongoDB systems – this was probably the best step to take.
• “Reset” the sessions of accounts that could’ve been compromised, thus logging them out in the process.
• Examined the environment where the data breach could’ve taken place.
• MongoDB team continues to improve its security posture.

According to MongoDB, the team has also worked on strengthening its MFA policy and regularly rotates passwords to prevent issues like the MongoDB security incident from occurring in the future.

What Can We Learn?

One thing’s for sure – everyone’s susceptible to attacks. The bigger your company is, the bigger of a target it is to potential adversaries and attackers – and even though certain defensive measures (e.g. the expiration of sessions, etc.) might prevent adversaries from retaining access to your systems, it doesn’t mean your employees needn’t be vigilant – in fact, everything only means that no matter what happens, your employees need to be aware of possible security exploits at all times.

Of course, knowing your way around all possible security flaws and preventing all of them within your infrastructure is not the simplest of tasks – that’s where data breach search engines such as the one developed by BreachDirectory can step in. The data breach search engine developed by BreachDirectory allows you to search whether you’re at risk of identity theft through hundreds of leaked data breaches, and if that’s the case, provides necessary advice to protect yourself.

Access to the API of BreachDirectory will provide your company and team with the necessary data they can use to protect themselves and their infrastructure. Don’t wait – start protecting your assets now.

After you’re done, come back to the blog and read more about security on the web – we’ll be waiting for you!