MongoDB Security Incident Post Event Summary, January 23, 2024

Lena Smart

MongoDB first informed customers in an alert posted on December 16, 2023 at 3:00pm EST that it was actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which included exposure of customer account metadata and contact information. MongoDB posted updated information on www.mongodb.com/alerts as we continued to investigate the matter, notifying customers that our investigation was complete and closed in a post on January 3, 2024 at 5:00pm EST.

During the investigation, we were able to confirm that the unauthorized party never had access to any MongoDB clusters – either on-premises or in MongoDB Atlas – and never penetrated the Atlas cluster authentication system. As a reminder, MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems.

On October 6, 2023, at approximately 11:45:00 UTC, a previously unknown flaw in a third-party application used by MongoDB staff enabled an unauthorized party to successfully phish and acquire the Single Sign-On (“SSO”) credentials and a corresponding Time-based One-Time Password (“TOTP”) from a MongoDB employee. The unauthorized party executed an Adversary-in-the-Middle (AitM) attack and used the credentials acquired from the phishing attack to access data in certain corporate applications. As described in our previous alerts and blog, this included access to corporate applications containing certain customer contact information and metadata.

Within twenty-four hours after the initial intrusion on October 6, 2023, MongoDB’s standard session limits kicked in, and the unauthorized party lost access to our corporate applications, except for our corporate messaging application. Between December 12 and December 14, 2023, the unauthorized party used their access to the corporate messaging application to send additional targeted phishing messages to MongoDB employees from the initially compromised user account, which enabled them to regain access to MongoDB corporate applications for a limited time.

On December 14, a MongoDB employee identified the fraudulent phishing messages sent by the unauthorized party in our corporate messaging application and notified the MongoDB security team. The MongoDB security team immediately enacted its incident response plan. MongoDB's investigation focused on determining the timeline of the event, the initial infection vector, and the number of impacted employees. With that information, MongoDB and our third-party forensics firm examined logs for all systems the attacker accessed and used this information to understand the breadth of the event.

MongoDB took the following actions:

  • Disabled the functionality in the third-party application that contained the flaw abused by the unauthorized party;

  • Reset the credentials of all known and suspected compromised user accounts;

  • Cleared active sessions of all known and suspected compromised user accounts;

  • Examined the environment to fully understand the breadth and depth of the unauthorized party’s activity and to extract indicators of compromise; and,

  • On an ongoing basis, we’re continuing to review and harden our security posture, including developing additional monitoring and alerts.

We also strengthened our phishing-resistant, multi-factor authentication policies and continue to reiterate that customers should enforce phishing-resistant MFA, regularly rotate passwords, and remain vigilant for social engineering attacks.

MongoDB’s investigation is complete and closed. Together with our third-party forensic experts, we can confirm that the unauthorized party no longer has access to our environment.