06/07/24
MongoDB does not currently use Snowflake in any part of our tech stack. Also, Snowflake is not one of our subprocessors or third party vendors. See a list of our subprocessors here.
1/23/24 - 6:00 PM EST
MongoDB has published a Post Event Summary for the security incident first reported here on December 16, 2023, US Eastern time (EST). As a reminder, our investigation is complete and closed, with our findings verified by our third-party forensic experts.
1/03/24 - 5:00 PM EST
Our investigation of the security incident first reported here on December 16, 2023, US Eastern time (EST) is now complete and closed.
The investigation led by our security and engineering teams uncovered no evidence of unauthorized access to MongoDB Atlas clusters. This finding has been verified by our third-party forensic experts.
We are committed to being timely and transparent with details about this Security Incident. We plan to release a post event summary as soon as practicable.
12/20/23 - 9:00 PM EST
We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system.
Based on the investigation to date, the unauthorized third party used a phishing attack to gain access to some of the corporate applications that we use to provide support services to MongoDB customers. In collaboration with outside forensic experts, we currently have a high level of confidence that the unauthorized third party has been removed from our corporate applications and that this incident is contained.
We have identified a list of contact information and related account metadata that the unauthorized third party accessed from the compromised applications. We are providing the list of fields in the blog post linked below, along with incremental guidance about the indicators of compromise (IOCs) provided in our previous alert.
As previously disclosed, the unauthorized third party primarily accessed MongoDB customer contact information and related account metadata. Over the last 24 hours, MongoDB personnel have individually contacted any customers with exposure beyond the fields listed in our blog post. This was a separate communication from the initial security notice sent over this past weekend.
Moving forward, we will provide updates when we have notable new information.
12/18/23 - 9:00 PM EST
We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter.
At this time, as a result of our investigation in collaboration with outside experts, we have high confidence that we were victims of a phishing attack. Through our investigation, we have identified certain information that may be helpful to protect yourself against a potential attack by this unauthorized party:
Indicators of Compromise (IOCs)
The unauthorized party used the Mullvad VPN. Mullvad has many external IP addresses, and there are many VPNs that can be used to hide an IP address. In this case, we saw malicious activity coming from the following IP addresses:
We recommend using the above information to search your networks for suspicious activity. We are committed to being as transparent in this process as we can and providing information so you can assess risk in your network.
In regards to our previous guidance, here are instructions on how to enable phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB Cloud also supports federating your identity from your IDP, please see here.
We have fielded questions from some customers about the authenticity of the e-mail titled: MongoDB Security Notice that our Chief Information Security Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com. We can confirm that this email is legitimate.
12/17/23 - 9:00 PM EST
At this time, we have found no evidence of unauthorized access to MongoDB Atlas clusters. To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.
We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed.
We are continuing with our investigation, and are working with relevant authorities and forensic firms. MongoDB will update this alert page with additional information as we continue to investigate the matter.
12/16/2023 - 05:25 PM EST
We are experiencing a spike in login attempts resulting in issues for customers attempting to log in to Atlas and our Support Portal. This is unrelated to the security incident. Please try again in a few minutes if you are still having trouble logging in. [The issue involving user login attempts has been resolved as of 10:22 PM EST]
12/16/2023 - 03:00 PM EST
MongoDB is actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information. We detected suspicious activity on Wednesday (Dec. 13th, 2023) evening US Eastern Standard Time, immediately activated our incident response process, and believe that this unauthorized access has been going on for some period of time before discovery. At this time, we are not aware of any exposure to the data that customers store in MongoDB Atlas. Nevertheless, we recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant multi-factor authentication (MFA), and regularly rotate their MongoDB Atlas passwords. MongoDB will update this alert page with additional information as we continue to investigate the matter.