November 14, 2013

A Look Into The MongoHQ Breach – Protect Your (Big) Data

IStock_000020541258SmallA recent security breach in MongoHQ (a MongoDB cloud services provider) left the company working hard to patch up security holes. Unfortunately common, this breach was only detected when one of MongoHQ’s customers (Buffer) realized they had been hacked.

Following the attack, MongoHQ did the right thing: they apologized to their customers, detailed their security flaws (some are quite staggering) and laid out what actions they are taking to mitigate security. 

Although the actions that MongoHQ took do improve security, data service providers and customers should ask themselves if their data is ever secure enough.

Once the data provider is breached, its customers are the first to suffer. And when discussing service providers, “small” hacks have a potentially exponential effect. Once a single server has been breached, all of the databases and the customers that own them are breached.

You’re the weakest link!

If you’re a data service provider with hundreds or even thousands of customers, getting hacked is only a matter of when – and when will it happen again.

Targeted attacks look for the weakest link in terms of security. When the weakest link is the data service provider and not the customer, the attackers might get greedy and not settle for just one target. A quote from MongoHQ :

“Currently, it appears that the unauthorized user was scanning for social media authentication information for spamming purposes, and probing for financial information in customer database”

Here are some of the issues that made the MongoHQ hack possible:

  • A support application was accessible through the web and not behind a VPN
  • Customer data was visible to users of this support application (what if the compromise was of an employee?)
  • Two factor authentication was not implemented
  • There was no User Rights Management

Securing data requires, well, some data security

Even Though many factors were responsible for this breach (such as “Excessive and Unused Privileges”, “Privilege Abuse” and “Unmanaged Sensitive Data”), MongoHQ breach root cause is an example of one of Top Ten Database Threats: “Limited Security Expertise and Education”:

“Internal security controls are not keeping pace with data growth and many organizations are ill-equipped to deal with a security breach. Often this is due to the lack of expertise required to implement security controls, policies, and training.”

This means that organizations should rely on the security expertise of 3rd party businesses instead of inventing the wheel or simply closing their eyes. Data security is a business of its own; Data service providers shouldn’t be surprised when breaches occur to non-secured data, and their security learning curve - and their customers (the ones that are left) - can be quite long and painful.

Since the breach, MongoHQ took very significant security measures, but mainly they utilized third-party validation of their security.

With Big Data Comes Big Responsibility

Limited security expertise and education is not only the service provider’s problem, it is also a real concern for its consumers. Were MongoHQ customers aware that their sensitive data was visible to the MongoHQ support application? Do you know who can access your data? How is it stored? Can it be copied?

These are all questions that are all too often forgotten, especially for young startup companies eager to build applications and avoid dealing with security and management costs.

Customers need to know what their service providers are doing to protect their data. This has recently become a new mandate with the rise of PCI-DSS v3.0, where service providers are now accountable for protecting the data of their customers. Data center security needs to be out in the open, especially “up in the cloud”.

While making your data somebody else’s problem is a nice fantasy, you are still accountable when it’s stolen or corrupted. You can’t guarantee your data availability when using a data service provider, but you can at least improve its integrity and confidentiality.

Joel Gascoigne from Buffer also realized this when he wrote on Hacker News:

“I want to be clear that this is still our fault. If access tokens were encrypted (which they are now) then this would have been avoided”.

You as a customer would be smart to take responsibly of your own data. Recognize where your sensitive data is and prepare for the inevitable day when it is compromised.    Additionally, we as customers need to hold our service providers accountable for security instead of just “taking their word.”

Authors & Topics:

Share on LinkedIn


There is no official certification on big data specifically that I am aware of. It makes sense that there isnt though, because the space has not been entirely figured out yet, which means that there are not real best practices. Stay tuned.

With the new requirements of PCI-DSS 3.0, are there any third party certifications around Big Data security or is the space too new? I recall working for an MSSP that became BS 7799 Part 2 certified in order to show potential clients that we didn't just talk-the-talk, but we also walked-the-walk.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.