Cloud-based database service MongoHQ said on Tuesday that attackers had gained access to an internal, employee-facing support application resulting in customer accounts and database instances being exposed. According to the company, one tool accessed by the attacker(s) lets MongoHQ support staff “impersonate” to access to a web interface as if they were a logged in as a customer.
The company said the intrusion was detected on October 28, 2013, and that an attacker was using a password obtained due to a compromised personal account.
“We’ve conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database,” Jason McCay Founder and CEO of MongoHQ warned in a security notice on Tuesday.
“We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your DB was accessed by an unauthorized user,” McCay continued.
According to its website, the company’s platform processes more than 6 billion MongoDB operations every day.
In response to the breach, the company said that all MongoHQ employee accounts, including email, network devices, and internal applications have been locked out, and are being enabled only after a credential reset and audit.
Furthermore, the company said its employee-facing support applications are now locked down with some components of it currently completely disabled.
McCay said the affected applications would not be re-enabled until the company has enforced two-factor authentication, made access to the applications only available through VPN connections, and implemented a system of graduated permissions that have been tested thoroughly.
In addition to describing the events in more detail, the company provided additional advice for customers on steps to take in order to best protect their assets, including changing database passwords and checking their database and MongoHQ account for unused, expired, or invalid usernames.
This attack is yet another example of attackers leveraging privileged accounts to successfully compromise an organization.
Theft, misuse, and exploitation of privileged accounts is a key tactic in each phase of APTs and other targeted attack campaigns, according to a report from CyberSheath released earlier this year.
According to Verizon’s 2013 Data Breach Investigation Report, 76 percent of network intrusions exploited weak or stolen credentials.
“Security needs to start with identifying and securing every one of these powerful accounts and automating the controls around them,” John Worrall, CMO of Cyber-Ark said previously.
MongoHQ did not say how many customer accounts were affected.
Related Reading: Attackers Capitalizing On Poorly Managed Privileged Accounts
Related Reading: Privileged Accounts Play Key Role in Advanced Cyber Attacks
Related Reading: Stolen Login Credentials, Poor Security Practices Led to South Carolina Data Breach