[HN Gopher] MongoDB is actively investigating a security incident
___________________________________________________________________
MongoDB is actively investigating a security incident
Author : ciudilo
Score : 161 points
Date : 2023-12-16 20:57 UTC (2 hours ago)
(HTM) web link (www.mongodb.com)
(TXT) w3m dump (www.mongodb.com)
| wg0 wrote:
| Irrelevant but curious if MongoDB is still being picked up for
| Greenfield projects given it's licensing.
| dnndev wrote:
| What's wrong with licensing?
| sigzero wrote:
| https://www.mongodb.com/licensing/server-side-public-
| license...
|
| I am not sure really.
|
| "It should be noted that the new license maintains all of the
| same freedoms the community has always had with MongoDB under
| AGPL - they are free to use, review, modify, and redistribute
| the source code. The only changes are additional terms that
| make explicit the conditions for offering a publicly
| available MongoDB as a service.
|
| Obviously, this new license helps our business, but it is
| also important for the MongoDB community. MongoDB has
| invested over $300M in R&D over the past decade to offer an
| open database for everyone, and with this change, MongoDB
| will continue to be able to aggressively invest in R&D to
| drive further innovation and value for the community."
| bdcravens wrote:
| https://thenewstack.io/the-case-against-the-server-side-
| publ...
| forwardemail wrote:
| Encryption at rest is not supported in the community/free
| version of MongoDB.
|
| We built an email service (IMAP support added a month ago)
| and wrote a WebSocket to SQLite layer to solve our encryption
| at rest needs for storage.
|
| See our deep dive at https://forwardemail.net/blog/docs/best-
| quantum-safe-encrypt... for insight.
| dnndev wrote:
| Really? How many open source databases do you offer? Some
| may say it's not right for randos to complain when you give
| something away and they complain that it's missing basics.
| I just happy someone else wrote most of what I need and I
| can extend it if needed.
| Nextgrid wrote:
| I wonder, why would you want DB-managed encryption instead
| of just putting its storage directory in a LUKS-encrypted
| volume?
| forwardemail wrote:
| We store each user's individual mailbox as its own
| encrypted SQLite database file on an encrypted volume.
| Even if the volume is decrypted, mailboxes can still not
| be read. This is the main reason and we detail this in
| the link we shared.
|
| Another requirement was full text search on the mailboxes
| with the data itself being encrypted at rest (SQLite fit
| our needs for that too; not many others provide this). We
| have a comparison chart at
| https://forwardemail.net/blog/docs/best-quantum-safe-
| encrypt....
| mananaysiempre wrote:
| MongoDB's SSPL is neither an open source license[1] nor, most
| likely, a free software one[2]. Its definition of offering
| the licensed software as a service is so broad most Linux
| distributions[3-6] flat out refuse to ship MongoDB (not even
| in a nonfree repository or the equivalent) so as to (among
| other things) avoid placing the operators of their package
| mirrors in legal jeopardy.
|
| [1] https://blog.opensource.org/the-sspl-is-not-an-open-
| source-l...
|
| [2] https://opensource.stackexchange.com/q/13888
|
| [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537
|
| [4] https://fedoraproject.org/wiki/Changes/MongoDB_Removal
|
| [5] https://bugzilla.opensuse.org/show_bug.cgi?id=1122267
|
| [6] https://lists.archlinux.org/archives/list/arch-dev-
| public@li...
| ranting-moth wrote:
| Their license "is to require that enhancements to MongoDB be
| released to the community."
|
| I think it only hurts people who want to freeride the project
| and extend it for selfish personal gains. That's OK by me.
| varelaz wrote:
| That's reply to Amazon abuse of MongoDB (DocumentDB)
| pleoxy wrote:
| Nothing wrong with picking mongo if it's a good fit for your
| use case.
| webappguy wrote:
| Exactly
| insanitybit wrote:
| Nice and to the point, makes it clear that this is early,
| explains the current scope, tells us to expect a follow up as the
| information makes its way to them.
|
| I like this tbh and I hope people won't punish them for not
| including more info when this is clearly in the early days of
| investigation.
| webappguy wrote:
| It was only DETECTED on the 13th, and they suspect had been
| going on 'for some time'. And basically not sure if user data
| was touched but they suspect or haven't provided it yet buly
| saying'NOT'.
|
| I want answers.
| insanitybit wrote:
| Yes, usually breaches take time to detect, and usually the
| attackers are around for a while first.
|
| I'm sure they want answers too, but they're working on it,
| and this is what they have right now.
| rompledorph wrote:
| Received this security notice today:
|
| Hi Redacted,
|
| MongoDB is investigating a security incident involving
| unauthorized access to certain MongoDB corporate systems. This
| includes exposure of customer account metadata and contact
| information. At this time, we are NOT aware of any exposure to
| the data that customers store in MongoDB Atlas.
|
| We detected suspicious activity on Wednesday (Dec. 13th, 2023)
| evening US Eastern Standard Time and immediately activated our
| incident response process. We are still conducting an active
| investigation and believe that this unauthorized access has been
| going on for some period of time before discovery. We have also
| started notifying relevant authorities.
|
| What should you do next? Since we are aware that some customer
| account metadata and contact information was accessed, please be
| vigilant for social engineering and phishing attacks. If not
| already implemented, we encourage all customers to activate
| phishing-resistant multi-factor authentication (MFA) and
| regularly rotate passwords. MongoDB will continue to update
| mongodb.com/alerts with additional information as we continue to
| investigate the matter.
|
| Sincerely, Lena Smart MongoDB CISO
| sampli wrote:
| Yeah I received the same email. Luckily I don't actually use
| mongodb atlas
| 0xblinq wrote:
| "Your data is safe, because we've never written it to disk."
| satvikpendem wrote:
| /dev/null is web scale
|
| https://youtube.com/watch?v=b2F-DItXtZs
| webappguy wrote:
| Mongo has made huge improvements tbf, but this is funny
| belter wrote:
| Asked 11 years ago and still going strong... "To what extent
| are 'lost data' criticisms still valid of MongoDB?" -
| https://stackoverflow.com/questions/10560834/to-what-extent-...
| insanitybit wrote:
| HN users would rather meme than read.
| iaresee wrote:
| We are completely locked out of our Atlas account and the support
| portal right now. We Okta-auth with Mongo and all attempts to
| auth right now are failing with "The request contained invalid
| data." displayed on their login screen.
|
| Of course, the support portal requires you to auth to use it...to
| get help with auth failing.
|
| Anyone else seeing issues getting in to their dashboard?
|
| Edit: Auth started working for us and dashboard access became
| available for us around 5:15 pm ET.
| alexzeitler wrote:
| upstream request timeout when trying to sign in
| iaresee wrote:
| On our side, Okta is saying the auth is good.
|
| I'm trying my personal account as well and it's telling me
| MFA isn't set up (it is) and it's making me go through the
| MFA setup flow again. All attempts to setup another 2FA code
| in 1Password or to get even an SMS code sent to my phone are
| failing.
|
| Edit: Personal account with a TOTP 2FA is working again now
| as well.
|
| This is feeling worse than they're letting on to.
| alexzeitler wrote:
| Sign in now worked once and sent me into the MFA setup loop
| but it failed.
| alexzeitler wrote:
| this-is-fine.gif
| ThePowerOfFuet wrote:
| You really should not be using SMS for 2FA.
| iaresee wrote:
| You really aren't following along closely enough: all
| other options were failing for me.
| speedgoose wrote:
| But you have setup SMS 2FA enabled, which is convenient
| this time but a big security hole. You should consider
| disabling it once the situation comes back to normal.
| iaresee wrote:
| > But you have setup SMS 2FA enabled
|
| No. I did not. Nor do I now.
|
| I had a TOTP setup in 1Password and Mongo was telling me
| MFA _wasn't_ set up and sending me through the MFA setup
| flow again.
|
| All options, SMS included, were failing in that MFA setup
| flow they pushed me in to.
|
| They're back now and my existing TOTP token is generating
| one time use passwords that work now.
| salil999 wrote:
| For my own knowledge, if the options were between using
| SMS for 2FA or not having 2FA at all then what is better?
| I've heard mixed things about this.
| mtremsal wrote:
| SMS 2FA is better than no MFA at all, despite the very
| valid concerns about SMS. It at least protects against
| credential stuffing and similar automated attacks.
| calyhre wrote:
| Same here with Google SSO
| iaresee wrote:
| We regained dashboard access around 5:15 pm ET.
| meghan wrote:
| MongoDB employee posting:
|
| The login issues are unrelated to the security incident. We
| notified all of our customers and users concurrently resulting
| in a spike in login attempts. Please try again in a few minutes
| if you are still having trouble logging in.
|
| Please continue to monitor our alerts page:
| https://www.mongodb.com/alerts
| superduperer wrote:
| Are they doing well? Seems like the hype has kind of died down.
| WJW wrote:
| They're apparently still growing quite rapidly, though the
| company is not yet profitable.
| superduperer wrote:
| They can legally claim anything these days. No chance they
| are growing. If they are claiming that it is fraud.
| lolinder wrote:
| Why come ask a question if you apparently have inside
| information that contradicts the answers you get?
| superduperer wrote:
| My "inside information" is just basic knowledge of the
| software industry. If MongoDB is growing is like claiming
| Morbius is a good movie. It's just silly. Go ahead
| disagree with be, but it's kinda silly.
| WJW wrote:
| They state these things in their quarterly filings with the
| SEC, in which to my knowledge it is not legal to knowingly
| misrepresent facts. If you have actual proof that MongoDBs
| auditors are lying to the SEC, you can probably get a
| pretty good whistleblower reward or at the very least make
| a ton of money selling this money to hedge funds
| specializing in shorting failing companies.
| bushbaba wrote:
| They are growing revenue which can be possible without
| growing adoption
| skatanski wrote:
| Recent 7.0.0 version has dropped old and introduced quite
| broken new query planner. Caused a lot of our queries to miss.
| We've had the displeasure to work with the support on multiple
| related issues.
| bytearray wrote:
| Yeah, as a company they pretty much dominate the NoSQL space.
| 1B+/year in revenue and that market is still growing at like
| 30ish% YoY or so.
| cianigga wrote:
| CEO just unloaded $100M worth of shares lately.
| ceejayoz wrote:
| He's been selling consistently for years.
| https://finance.yahoo.com/news/insider-sell-mongodb-incs-pre...
| stockocean wrote:
| Has consistently been selling, but yeah quite a big unload
| https://archive.is/aPcRF
| mtremsal wrote:
| This is almost certainly normal activity under a 10b-5 plan,
| meant to protect specifically against suspicion of insider
| trading, which is what you're implying.
| goenning wrote:
| I never used/tried MongoDB, what are the reasons people choose
| MongoDB over other DBs?
| salil999 wrote:
| It's pretty easy to start with. MQL is also pretty easy to
| understand + MongoDB kinda makes it fun.
|
| Note: I work at MongoDB
| webappguy wrote:
| What's the update internally here? How long this been going
| on for? Any juice?
| webappguy wrote:
| Easy, flexible scheme nosql, plenty of baked in features. Has
| it's place, and many times when it would not be a good choice
| too.
| 010101010101 wrote:
| It was an early player when everyone thought NoSQL document
| databases solved every problem.
| jtriangle wrote:
| They did solve many problems, and then they caused many more
| problems...
|
| At first at least, haven't checked in on that in awhile
| sgift wrote:
| They haven't read https://jepsen.io/analyses/mongodb-4.2.6 and
| therefore make the mistake thinking it's a good idea to use it
| for some reason. It is not. I also never found any feature
| which would want to make you use it in the first place, even
| _if_ it weren 't a bug-ridden mess that probably eats your data
| if you don't look, but maybe I didn't look long enough.
|
| (also discussed on HN at the time, for more examples of their
| great quality. That they haven't paid for a thorough follow-up
| analysis after their supposed fix is all one needs to know)
| sigzero wrote:
| So nothing has changed in the 3 years since that article?
| chx wrote:
| I am not sure what's going on with Jepsen any more.
|
| https://jepsen.io/analyses
|
| there were zero done in 2021, two in early 2022 and even
| the footer copyright say 2022.
| salil999 wrote:
| I see this Jepsen link posted all the time. People: PLEASE
| don't use outdated software. MongoDB has made mistakes and
| they are public about their data issues on
| https://www.mongodb.com/alerts. MongoDB 4.2.6 is old and I
| believe it's approaching EoL based on
| https://www.mongodb.com/support-policy/lifecycles
|
| I'm not going to push for you to use MongoDB but am merely
| trying to provide some context around that Jepsen analysis.
| lolinder wrote:
| Based on that lifecycle doc, the 4.2 line is already EOL,
| and 4.4 will be soon.
| insanitybit wrote:
| > That they haven't paid for a thorough follow-up analysis
| after their supposed fix is all one needs to know
|
| As much fun as Jepsen is, I'd probably not follow up with a
| company that turned my product into a mockery. I enjoy the
| hell out of reading that report as an outsider, and I
| personally would be a repeat customer, but I can see how a
| company might not love the writeup.
| Jonovono wrote:
| It's a really great alternative to firebase for mobile apps.
| Works pretty nicely with Realm so you get offline first db with
| powerful syncing. All the benefits of realm on the edge device
| with the power of the mongo platform. I dismissed mongo atlas
| for years because "mongo", until I finally gave it a chance.
| Overall been pretty pleased.
| tgv wrote:
| I use it on-prem (well, on a VPS). It stores JSON documents,
| and it's easy to work with. If your data looks like a tree, it
| works pretty well, also for large documents. If you depend on
| relations between documents, you're better off with an SQL
| database, but note that for many cases --I'd say practically
| all mundane cases-- there's really no need for relations the
| SQL way. MongoDB also does relations, but a bit more
| convoluted.
| bossyTeacher wrote:
| Mongo is the main nosql choice. Mongo is great if you think a
| flexible schema is good. Mongo is not great if you think a
| flexible schema is bad. That sums it up
| iLoveOncall wrote:
| This is too reductive, you can essentially have flexible
| schemas with most modern relational databases and without the
| downsides of document-based DBs.
|
| In 99% of the cases, even if you need a flexible schema,
| PostgreSQL will remain the best choice.
| webappguy wrote:
| Just got email alert
___________________________________________________________________
(page generated 2023-12-16 23:00 UTC)