MongoDB Security Incident Update, December 20, 2023
The following is an update on the security incident first reported on December 16, 2023, US Eastern time (EST). For all critical alerts and advisories for MongoDB, please visit mongodb.com/alerts.
We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system.
Based on the investigation to date, the unauthorized third party used a phishing attack to gain access to some of the corporate applications that we use to provide support services to MongoDB customers. In collaboration with outside forensic experts, we currently have a high level of confidence that the unauthorized third party has been removed from our corporate applications and that this incident is contained.
Although our investigation remains ongoing, today we’re sharing additional information regarding the contact information and related account metadata that we have identified as having been exposed. The tables below show the relevant fields.
CRM Application
| Field Name | Description |
| Salutation | |
| First Name | |
| Last Name | |
| Title | |
| Account Name | Company Name |
| Address Street | |
| Address City | |
| Address State | |
| Address Zip | |
| Address Country | |
| Phone 1 | Primary Phone |
| Phone 2 | Mobile |
| Phone 3 | Fax |
| Owner Full Name | MongoDB Sales Contact |
Customer Support Application
| Field | Type | Description |
| User Name | String | Username / email address for account.mongodb.com |
| Last Auth | Date/Time | Time of last user authentication |
| Last Auth Method | String | Last authentication method used |
| Time Zone ID | String | ID for user's preferred time zone |
| Time Zone Code | String | Alphabetical code for user's preferred timezone |
| Created | Date/Time | User registration time |
| First Name | String | User first name |
| Last Name | String | User last name |
| User ID | String | Internal unique user identifier |
| Is Invite | Boolean | User invited but has not yet accepted invite |
| Read Only | Boolean | User has limited permissions |
| Last Page View | Date/Time | Last time a page was viewed by user |
| Login Count | Number | Number of times a user has logged in |
| Is Locked | Boolean | Indicates if user is locked, automatically or manually |
| Is Deleted | Boolean | Indicates if user has been deleted |
| Deleted Date | Date/Time | Time at which the user was deleted |
| Email Last Verified | Date/Time | Email verification date |
| Email Needs Verification | Boolean | Email needs verification |
| Email Address | String | Alternate email address |
| Has Account Multifactor Auth | Boolean | User is enrolled for multifactor authentication |
| Deprecated Fields | The fields below are only populated for users of our deprecated multifactor authentication (MFA) system. We released our current MFA system in January 2021. | |
| Multifactor Auth Phone | String | Phone number used for deprecated MFA |
| Multifactor Auth Extension | String | Phone number extension used for deprecated MFA |
| Multifactor Auth Backup Phone | String | Alternate phone number used for deprecated MFA |
| Multifactor Auth Backup Phone Extension | String | Alternate phone number extension used for deprecated MFA |
| Multifactor Auth Authenticator | Boolean | Specifies whether an authenticator device was used for deprecated MFA |
| Multifactor Auth Voice | Boolean | Specifies whether a user of deprecated MFA wished to receive voice calls |
| Unused Fields | The following fields are no longer in use by any system. | |
| Multifactor Auth Update Key | String | May be populated for users of deprecated MFA. Field is not used by any system. |
| Team IDs | String[] | Empty and unused |
| Num Teams | Number | Empty and unused |
| Status | String | Empty and unused |
| Num Groups | Number | Empty and unused |
| Internal Fields | ||
| Roles | String[] | Internal field, populated only for MongoDB employee records |
| Roles String | String | Internal field, populated only for MongoDB employee records |
In addition, we previously disclosed a list of indicators of compromise (IOCs) from which we detected unauthorized activity; that list is shared again below. Pursuant to industry best practices, we recommend that customers take the following actions using this information:
-
Provide this list of IOCs to your security or infrastructure teams. These teams can proactively set up firewall blocks or monitoring, as appropriate.
-
Search your application or infrastructure logs for these addresses to identify possible anomalous activity.
-
Please be aware that threat actors will regularly change IP addresses, therefore this list is not exhaustive.
Indicators of Compromise (IOC)
| 107.150.22.47 |
| 138.199.6.199 |
| 146.70.187.157 |
| 179.43.189.85 |
| 185.156.46.165 |
| 198.44.136.69 |
| 198.44.136.71 |
| 198.44.140.133 |
| 198.44.140.199 |
| 199.116.118.207 |
| 206.217.205.88 |
| 66.63.167.152 |
| 66.63.167.154 |
| 87.249.134.10 |
| 96.44.191.132 |
We also continue to recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant, multifactor authentication (MFA), and regularly rotate their passwords. To learn how you can enable phishing-resistant MFA on MongoDB’s native cloud authentication service, read our documentation on managing MFA options. MongoDB Cloud also supports federating your identity from your IDP, and you can read about configuring federated authentication here.
Moving forward, MongoDB will post updates to mongodb.com/alerts when we have notable new information.
Update as of January 3, 2024: The investigation of this incident is complete and closed. Please see the MongoDB Alerts page for more information.