MongoHQ, which provides hosting and support for the open-source Mongo database, said attackers may have accessed several of its customers' databases earlier this week.
On Monday, someone accessed an internal support application using a password that had been used for a compromised personal account, wrote Jason McCay, MongoHQ's founder.
The support application contains connection information for customer MongoDB instances, along with lists of databases, email addresses and user credentials hashed with bcrypt, a file encryption tool, McCay wrote. An audit showed that several databases may have been accessed via that support application.
"We believe we have exhausted the scope of this compromise and are directly contacting all affected customers," McCay wrote. "We are continuing to evaluate our audit logs and conducting further investigations with the help of third-party experts."
The company invalidated credentials such as IAM (Identity and Access Management) keys it stored for customers using Amazon Web Services (AWS) for backups. MongoHQ has notified AWS of the accounts that may have been affected, and AWS is offering Premium Support for organizations that need new credentials, McCay wrote.
MongoHQ, which has offices in California and Alabama, provides services to let developers create and manage NoSQL Mongo databases for their applications.
Since the breach, MongoHQ said it has reset the login credentials for its employee accounts, including email, network devices and internal applications. Employee-facing support applications have been disabled until two-factor authentication is enabled, VPN connections to those applications are enforced and employee access permissions are reviewed, McCay wrote.
In the meantime, McCay said MongoHQ is modifying its system to encrypt and decrypt data at the application level, which will mitigate possible damage from the same type of intrusion. It has also hired a security consulting firm to do a penetration test of its application stack, McCay wrote.
"Based on their recommendations, we will be hardening our applications to provide more layers of security," he wrote.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk