Reusing passwords on accounts compromises cloud firm

MongoHQ, a Web services firm that hosts databases for customers, detected unauthorized activity on an employee’s administrative app.

“The classic no-no of sharing passwords across multiple accounts is what gave the attackers access to the MongoHQ admin application. The password – used for an employee's admin account – was the same one used for a personal account, according to company officials, who said it was discovered that the staffer's personal account had been compromised,” SC Magazine reports.

The incident may have exposed lists of client databases, email addresses and “bcrypt-hashed” credentials, according to a post by MongoHQ CEO Jason McCay.

This hack already has tainted one customer’s system.

It led to the infiltration of social media sharing service Buffer, which confirmed the connection in a blog post. MongoHQ manages Buffer's database.

“Hackers logged into the main admin dashboard of MongoHQ and were able to use the ‘impersonate’ feature to see all of Buffer’s database information. Through that, they wrote a script to steal our social access tokens and post spam messages on behalf of our users,” Buffer CEO Joel Gascoigne wrote. The impersonation feature lets MongoHQ employees access customers’ systems as if they were logged in as the customer, for use in troubleshooting problems.

All MongoHQ employee email accounts, network devices and internal applications have been locked until after an audit and enforcement of tighter security measures.

The company is notifying all affected customers individually.  

ThreatWatch is a regularly updated catalog of data breaches successfully striking every sector of the globe, as reported by journalists, researchers and the victims themselves.