October 30, 2013
MongoHQ Breach Explains Buffer’s Weekend Hack Attack
Michael Harper for redOrbit.com - Your Universe Online
Social sharing service Buffer was hacked last weekend, sending out thousands of spammy weight loss ads on behalf of their users. Yesterday the hosting service MongoHQ which supports Buffer announced that they they too had suffered a breach and took down their servers as a precautionary measure.
Buffer CEO Joel Gascoigne now says that while MongoHQ opened a backdoor to allow the intruders into their system, weak security measures on Buffer’s end are still to blame. According to a MongoHQ blog post, a stolen employee password was used to break into the main administrators dashboard, which then gave the intruder access to Buffer’s customers and more.
Upon discovering the breach, MongoHQ says it locked down its servers and began reaching out to the small number of affected customers. Both MongoHQ and Buffer now say they’ll be implementing stronger security measures, including two-step authentication and protecting their dashboard behind a virtual private network or VPN.
The intruder had access to MongoHQ’s support tool, which lets employees impersonate their customers for customer support and troubleshooting. Once logged in with the support tool, the intruder was then able to impersonate a customer, in this case Buffer, and access the customer’s database. With this database exposed, the intruder was able to post spammy messages on behalf of Buffer’s customers.
“We have additionally determined that an unauthorized user to our support system would have had some access to our account database, which includes connection info for customer MongoDB instances,” the company said.
“We've conducted an audit of direct access to customer databases and determined that several databases may have been accessed using information stored in our account database. We are contacting affected customers directly. If you have not heard from us individually, there is no evidence that your [database] was accessed by an unauthorized user.”
Possibly the weakest link in MongoHQ’s security chain was the internal support application. This feature, which gave the intruder the ability to impersonate an actual customer, was exposed to the Internet without the protection of a VPN. The company has learned from this breach and now says they’ll be protecting their services with a VPN in the future.
It’s possible that the attack could have been worse, however, if it weren’t for their password encryption procedure. The company uses bcrypt, a service which is meant to impede brute-force attacks and clustered computers. Using sheer GPU force, attackers can quickly attempt up to two billion password combinations to unlock encrypted passwords. With bcrypt, however, a single machine can only try less than 4,000 possible passwords.
“We have full trust in MongoHQ that they have closed the security hole and are also very grateful about their fast update and the company helping us clear up all confusions in connection to the breach,” said Buffer’s Gascoigne in an updated blog post.
“I want to be clear that this is still our fault. If access tokens were encrypted (which they are now) then this would have been avoided.”
Gascoigne emailed his users last weekend after the breach left thousands of customers scratching their heads and wondering why they had posted or tweeted a message about a weight loss supplement. Until this incident, Buffer hadn’t been encrypting Facebook and Twitter tokens, meaning the MongoHQ intruder likely had little difficulty posting the spammy messages on behalf of Buffer’s users. Buffer has since restored their service with added security measures and say they still plan to issue a full report explaining the hack and what information was accessible by the hackers.