MongoDB Security Incident Post Event Summary, January 23, 2024
MongoDB first informed customers in an alert posted on December 16, 2023 at 3:00pm EST that it was actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which included exposure of customer account metadata and contact information. MongoDB posted updated information on www.mongodb.com/alerts as we continued to investigate the matter, notifying customers that our investigation was complete and closed in a post on January 3, 2024 at 5:00pm EST. During the investigation, we were able to confirm that the unauthorized party never had access to any MongoDB clusters – either on-premises or in MongoDB Atlas – and never penetrated the Atlas cluster authentication system. As a reminder, MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems. On October 6, 2023, at approximately 11:45:00 UTC, a previously unknown flaw in a third-party application used by MongoDB staff enabled an unauthorized party to successfully phish and acquire the Single Sign-On (“SSO”) credentials and a corresponding Time-based One-Time Password (“TOTP”) from a MongoDB employee. The unauthorized party executed an Adversary-in-the-Middle (AitM) attack and used the credentials acquired from the phishing attack to access data in certain corporate applications. As described in our previous alerts and blog , this included access to corporate applications containing certain customer contact information and metadata. Within twenty-four hours after the initial intrusion on October 6, 2023, MongoDB’s standard session limits kicked in, and the unauthorized party lost access to our corporate applications, except for our corporate messaging application. Between December 12 and December 14, 2023, the unauthorized party used their access to the corporate messaging application to send additional targeted phishing messages to MongoDB employees from the initially compromised user account, which enabled them to regain access to MongoDB corporate applications for a limited time. On December 14, a MongoDB employee identified the fraudulent phishing messages sent by the unauthorized party in our corporate messaging application and notified the MongoDB security team. The MongoDB security team immediately enacted its incident response plan. MongoDB's investigation focused on determining the timeline of the event, the initial infection vector, and the number of impacted employees. With that information, MongoDB and our third-party forensics firm examined logs for all systems the attacker accessed and used this information to understand the breadth of the event. MongoDB took the following actions: Disabled the functionality in the third-party application that contained the flaw abused by the unauthorized party; Reset the credentials of all known and suspected compromised user accounts; Cleared active sessions of all known and suspected compromised user accounts; Examined the environment to fully understand the breadth and depth of the unauthorized party’s activity and to extract indicators of compromise; and, On an ongoing basis, we’re continuing to review and harden our security posture, including developing additional monitoring and alerts. We also strengthened our phishing-resistant, multi-factor authentication policies and continue to reiterate that customers should enforce phishing-resistant MFA, regularly rotate passwords, and remain vigilant for social engineering attacks. MongoDB’s investigation is complete and closed. Together with our third-party forensic experts, we can confirm that the unauthorized party no longer has access to our environment.
Making Employees Champions for Cybersecurity Culture
As CISO, I view our employees as our strongest link and our best advocates for cultivating a strong security culture at MongoDB. Security teams can often be perceived negatively internally and with the shift to remote and hybrid working over the last year-plus, we’ve made a very conscious effort to engage and educate our employees. While you can have all the tools in the world, at the end of the day, people are the key to a robust and ever expanding cybersecurity program. This is not a new message, but it takes on a very different form now that, in some cases, every employee is working from a different kitchen table or home office, with varying set ups and network accessibility. The perimeter no longer exists and there is no such thing as a one-way path for network traffic. All your entry points can also just as easily become attack vectors. So everyone needs to be involved and accountable. However, this is not about IT expertise, rather it is about tact and empathy. Employees tend to be viewed as a risk when it comes to cybersecurity. This message, however, can lead to a culture of mistrust, which often results in employees worrying about the consequences of reporting anything. They feel embarrassed about clicking on that link in the email from the sender they didn’t recognize, so instead of reporting the incident, they just ignore it, leading to much bigger issues. Instead of a risk, at MongoDB, we make employees our security champions. The MongoDB Security Champions Program is a team of over 90 employees who have volunteered to help in our cybersecurity efforts. They are from departments all over the company, such as HR, communications, and product development, and they become ambassadors within their team for cybersecurity, adding to the strength of our security team. A comprehensive security plan cannot be limited to rules defined by IT, but must include commitment, ideas and understanding from all over the organization. This helps to avoid "information silos" and enables us to tailor information towards day-to-day scenarios that apply to specific functions. The security champions also feed back to the IT team, contributing knowledge and experience to the overall security strategy that only they can provide. A data protection officer understands GDPR compliance, a technician knows all about encryption or identity management, but only the customer consultant knows what issues can arise when external customer representatives need to access data on company servers. This has successfully addressed the issue of trust. Teams now have a security contact who is a trusted member of their team. Someone who clicked the "bad link" is much more likely to confide in a colleague and in this way the champions act as a link between their own team and the team that defines IT security governance in the company. The champions themselves also report beneficial effects. We have often heard companies complain about a lack of talent in cybersecurity. Training people in your existing workforce is a potential solution to this. Security champion members identify with their own specialist department as much as they do with their security work. They can play a crucial role in shaping the future, develop new skills, have more self-confidence and increase their commitment. Six months after MongoDB implemented the Security Champions Program we saw an increase in reported security events, making it easier to detect and respond to incidents. The topic of cybersecurity, which had previously been a nuisance for many, now even contributes to team building – a welcome side effect of a positive and inclusive security culture.