The company determined that the access had been enabled via a password that was shared with a compromised personal account. The support application provides access to lists of databases, e-mail addresses, and bcrypt-hashed user credentials.
"Our support tool includes an 'impersonate' feature that enables MongoHQ employees to access our primary web UI as if they were a logged in customer, for use in troubleshooting customer problems," MongoHQ founder and CEO Jason McCay wrote in a blog post announcing the breach. "This feature was used with a small number of customer web UI accounts. Our primary web UI allows customers to browse data and manage their databases. We are contacting affected customers directly."
The company also determined that several databases may have been accessed using information stored in the account database. All affected customers are being contacted directly.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Later, McCay added, "Our investigations into this incident are ongoing. Currently, it appears that the unauthorized user was scanning for social media authentication information for spamming purposes, and probing for financial information in customer database."