MongoDB Security Incident Update, December 20, 2023


The following is an update on the security incident first reported on December 16, 2023, US Eastern time (EST). For all critical alerts and advisories for MongoDB, please visit

We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system.

Based on the investigation to date, the unauthorized third party used a phishing attack to gain access to some of the corporate applications that we use to provide support services to MongoDB customers. In collaboration with outside forensic experts, we currently have a high level of confidence that the unauthorized third party has been removed from our corporate applications and that this incident is contained.

Although our investigation remains ongoing, today we’re sharing additional information regarding the contact information and related account metadata that we have identified as having been exposed. The tables below show the relevant fields.

CRM Application

Field Name Description
First Name
Last Name
Account Name Company Name
Address Street
Address City
Address State
Address Zip
Address Country
Phone 1 Primary Phone
Phone 2 Mobile
Phone 3 Fax
Owner Full Name MongoDB Sales Contact

Customer Support Application

Field Type Description
User Name String Username / email address for
Last Auth Date/Time Time of last user authentication
Last Auth Method String Last authentication method used
Time Zone ID String ID for user's preferred time zone
Time Zone Code String Alphabetical code for user's preferred timezone
Created Date/Time User registration time
First Name String User first name
Last Name String User last name
User ID String Internal unique user identifier
Is Invite Boolean User invited but has not yet accepted invite
Read Only Boolean User has limited permissions
Last Page View Date/Time Last time a page was viewed by user
Login Count Number Number of times a user has logged in
Is Locked Boolean Indicates if user is locked, automatically or manually
Is Deleted Boolean Indicates if user has been deleted
Deleted Date Date/Time Time at which the user was deleted
Email Last Verified Date/Time Email verification date
Email Needs Verification Boolean Email needs verification
Email Address String Alternate email address
Has Account Multifactor Auth Boolean User is enrolled for multifactor authentication
Deprecated Fields The fields below are only populated for users of our deprecated multifactor authentication (MFA) system. We released our current MFA system in January 2021.
Multifactor Auth Phone String Phone number used for deprecated MFA
Multifactor Auth Extension String Phone number extension used for deprecated MFA
Multifactor Auth Backup Phone String Alternate phone number used for deprecated MFA
Multifactor Auth Backup Phone Extension String Alternate phone number extension used for deprecated MFA
Multifactor Auth Authenticator Boolean Specifies whether an authenticator device was used for deprecated MFA
Multifactor Auth Voice Boolean Specifies whether a user of deprecated MFA wished to receive voice calls
Unused Fields The following fields are no longer in use by any system.
Multifactor Auth Update Key String May be populated for users of deprecated MFA. Field is not used by any system.
Team IDs String[] Empty and unused
Num Teams Number Empty and unused
Status String Empty and unused
Num Groups Number Empty and unused
Internal Fields
Roles String[] Internal field, populated only for MongoDB employee records
Roles String String Internal field, populated only for MongoDB employee records

In addition, we previously disclosed a list of indicators of compromise (IOCs) from which we detected unauthorized activity; that list is shared again below. Pursuant to industry best practices, we recommend that customers take the following actions using this information:

  • Provide this list of IOCs to your security or infrastructure teams. These teams can proactively set up firewall blocks or monitoring, as appropriate.

  • Search your application or infrastructure logs for these addresses to identify possible anomalous activity.

  • Please be aware that threat actors will regularly change IP addresses, therefore this list is not exhaustive.

Indicators of Compromise (IOC)

We also continue to recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant, multifactor authentication (MFA), and regularly rotate their passwords. To learn how you can enable phishing-resistant MFA on MongoDB’s native cloud authentication service, read our documentation on managing MFA options. MongoDB Cloud also supports federating your identity from your IDP, and you can read about configuring federated authentication here.

Moving forward, MongoDB will post updates to when we have notable new information.

Update as of January 3, 2024: The investigation of this incident is complete and closed. Please see the MongoDB Alerts page for more information.