New2025 wrap-up: Voyage AI, AMP launch, & customer wins. Plus, 2026 predictions. Read blog >
NewBuild better RAG. Voyage 4 models & Reranking API are now on Atlas. Read blog >
NewIntroducing Automated Embedding: One-click vector search, no external models. Read blog > Hyperlink: Read blog >
Blog home
arrow-left

MongoDB Security Incident Update, December 20, 2023

December 21, 2023 | Updated: September 23, 2025

The following is an update on the security incident first reported on December 16, 2023, US Eastern time (EST). For all critical alerts and advisories for MongoDB, please visit mongodb.com/alerts.

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system.

Based on the investigation to date, the unauthorized third party used a phishing attack to gain access to some of the corporate applications that we use to provide support services to MongoDB customers. In collaboration with outside forensic experts, we currently have a high level of confidence that the unauthorized third party has been removed from our corporate applications and that this incident is contained.

Although our investigation remains ongoing, today we’re sharing additional information regarding the contact information and related account metadata that we have identified as having been exposed. The tables below show the relevant fields.

CRM Application

Field NameDescription
Salutation
First Name
Last Name
Title
Account NameCompany Name
Address Street
Address City
Address State
Address Zip
Address Country
Phone 1Primary Phone
Phone 2Mobile
Phone 3Fax
E-Mail
Owner Full NameMongoDB Sales Contact

Customer Support Application

FieldTypeDescription
User NameStringUsername / email address for account.mongodb.com
Last AuthDate/TimeTime of last user authentication
Last Auth MethodStringLast authentication method used
Time Zone IDStringID for user's preferred time zone
Time Zone CodeStringAlphabetical code for user's preferred timezone
CreatedDate/TimeUser registration time
First NameStringUser first name
Last NameStringUser last name
User IDStringInternal unique user identifier
Is InviteBooleanUser invited but has not yet accepted invite
Read OnlyBooleanUser has limited permissions
Last Page ViewDate/TimeLast time a page was viewed by user
Login CountNumberNumber of times a user has logged in
Is LockedBooleanIndicates if user is locked, automatically or manually
Is DeletedBooleanIndicates if user has been deleted
Deleted DateDate/TimeTime at which the user was deleted
Email Last VerifiedDate/TimeEmail verification date
Email Needs VerificationBooleanEmail needs verification
Email AddressStringAlternate email address
Has Account Multifactor AuthBooleanUser is enrolled for multifactor authentication
Deprecated FieldsThe fields below are only populated for users of our deprecated multifactor authentication (MFA) system. We released our current MFA system in January 2021.
Multifactor Auth PhoneStringPhone number used for deprecated MFA
Multifactor Auth ExtensionStringPhone number extension used for deprecated MFA
Multifactor Auth Backup PhoneStringAlternate phone number used for deprecated MFA
Multifactor Auth Backup Phone ExtensionStringAlternate phone number extension used for deprecated MFA
Multifactor Auth AuthenticatorBooleanSpecifies whether an authenticator device was used for deprecated MFA
Multifactor Auth VoiceBooleanSpecifies whether a user of deprecated MFA wished to receive voice calls
Unused FieldsThe following fields are no longer in use by any system.
Multifactor Auth Update KeyStringMay be populated for users of deprecated MFA. Field is not used by any system.
Team IDsString[]Empty and unused
Num TeamsNumberEmpty and unused
StatusStringEmpty and unused
Num GroupsNumberEmpty and unused
Internal Fields
RolesString[]Internal field, populated only for MongoDB employee records
Roles StringStringInternal field, populated only for MongoDB employee records

 

In addition, we previously disclosed a list of indicators of compromise (IOCs) from which we detected unauthorized activity; that list is shared again below. Pursuant to industry best practices, we recommend that customers take the following actions using this information:

  • Provide this list of IOCs to your security or infrastructure teams. These teams can proactively set up firewall blocks or monitoring, as appropriate.

  • Search your application or infrastructure logs for these addresses to identify possible anomalous activity.

  • Please be aware that threat actors will regularly change IP addresses, therefore this list is not exhaustive.

Indicators of Compromise (IOC)

107.150.22.47
138.199.6.199
146.70.187.157
179.43.189.85
185.156.46.165
198.44.136.69
198.44.136.71
198.44.140.133
198.44.140.199
199.116.118.207
206.217.205.88
66.63.167.152
66.63.167.154
87.249.134.10
96.44.191.132

 

We also continue to recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant, multifactor authentication (MFA), and regularly rotate their passwords. To learn how you can enable phishing-resistant MFA on MongoDB’s native cloud authentication service, read our documentation on managing MFA options. MongoDB Cloud also supports federating your identity from your IDP, and you can read about configuring federated authentication here.

Moving forward, MongoDB will post updates to mongodb.com/alerts when we have notable new information.

Update as of January 3, 2024: The investigation of this incident is complete and closed. Please see the MongoDB Alerts page for more information.

MongoDB Resources
Atlas Learning Hub|Customer Case Studies|AI Learning Hub|Documentation|MongoDB University