[HN Gopher] MongoDB is actively investigating a security incident ___________________________________________________________________ MongoDB is actively investigating a security incident Author : ciudilo Score : 161 points Date : 2023-12-16 20:57 UTC (2 hours ago) (HTM) web link (www.mongodb.com) (TXT) w3m dump (www.mongodb.com) | wg0 wrote: | Irrelevant but curious if MongoDB is still being picked up for | Greenfield projects given it's licensing. | dnndev wrote: | What's wrong with licensing? | sigzero wrote: | https://www.mongodb.com/licensing/server-side-public- | license... | | I am not sure really. | | "It should be noted that the new license maintains all of the | same freedoms the community has always had with MongoDB under | AGPL - they are free to use, review, modify, and redistribute | the source code. The only changes are additional terms that | make explicit the conditions for offering a publicly | available MongoDB as a service. | | Obviously, this new license helps our business, but it is | also important for the MongoDB community. MongoDB has | invested over $300M in R&D over the past decade to offer an | open database for everyone, and with this change, MongoDB | will continue to be able to aggressively invest in R&D to | drive further innovation and value for the community." | bdcravens wrote: | https://thenewstack.io/the-case-against-the-server-side- | publ... | forwardemail wrote: | Encryption at rest is not supported in the community/free | version of MongoDB. | | We built an email service (IMAP support added a month ago) | and wrote a WebSocket to SQLite layer to solve our encryption | at rest needs for storage. | | See our deep dive at https://forwardemail.net/blog/docs/best- | quantum-safe-encrypt... for insight. | dnndev wrote: | Really? How many open source databases do you offer? Some | may say it's not right for randos to complain when you give | something away and they complain that it's missing basics. | I just happy someone else wrote most of what I need and I | can extend it if needed. | Nextgrid wrote: | I wonder, why would you want DB-managed encryption instead | of just putting its storage directory in a LUKS-encrypted | volume? | forwardemail wrote: | We store each user's individual mailbox as its own | encrypted SQLite database file on an encrypted volume. | Even if the volume is decrypted, mailboxes can still not | be read. This is the main reason and we detail this in | the link we shared. | | Another requirement was full text search on the mailboxes | with the data itself being encrypted at rest (SQLite fit | our needs for that too; not many others provide this). We | have a comparison chart at | https://forwardemail.net/blog/docs/best-quantum-safe- | encrypt.... | mananaysiempre wrote: | MongoDB's SSPL is neither an open source license[1] nor, most | likely, a free software one[2]. Its definition of offering | the licensed software as a service is so broad most Linux | distributions[3-6] flat out refuse to ship MongoDB (not even | in a nonfree repository or the equivalent) so as to (among | other things) avoid placing the operators of their package | mirrors in legal jeopardy. | | [1] https://blog.opensource.org/the-sspl-is-not-an-open- | source-l... | | [2] https://opensource.stackexchange.com/q/13888 | | [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=915537 | | [4] https://fedoraproject.org/wiki/Changes/MongoDB_Removal | | [5] https://bugzilla.opensuse.org/show_bug.cgi?id=1122267 | | [6] https://lists.archlinux.org/archives/list/arch-dev- | public@li... | ranting-moth wrote: | Their license "is to require that enhancements to MongoDB be | released to the community." | | I think it only hurts people who want to freeride the project | and extend it for selfish personal gains. That's OK by me. | varelaz wrote: | That's reply to Amazon abuse of MongoDB (DocumentDB) | pleoxy wrote: | Nothing wrong with picking mongo if it's a good fit for your | use case. | webappguy wrote: | Exactly | insanitybit wrote: | Nice and to the point, makes it clear that this is early, | explains the current scope, tells us to expect a follow up as the | information makes its way to them. | | I like this tbh and I hope people won't punish them for not | including more info when this is clearly in the early days of | investigation. | webappguy wrote: | It was only DETECTED on the 13th, and they suspect had been | going on 'for some time'. And basically not sure if user data | was touched but they suspect or haven't provided it yet buly | saying'NOT'. | | I want answers. | insanitybit wrote: | Yes, usually breaches take time to detect, and usually the | attackers are around for a while first. | | I'm sure they want answers too, but they're working on it, | and this is what they have right now. | rompledorph wrote: | Received this security notice today: | | Hi Redacted, | | MongoDB is investigating a security incident involving | unauthorized access to certain MongoDB corporate systems. This | includes exposure of customer account metadata and contact | information. At this time, we are NOT aware of any exposure to | the data that customers store in MongoDB Atlas. | | We detected suspicious activity on Wednesday (Dec. 13th, 2023) | evening US Eastern Standard Time and immediately activated our | incident response process. We are still conducting an active | investigation and believe that this unauthorized access has been | going on for some period of time before discovery. We have also | started notifying relevant authorities. | | What should you do next? Since we are aware that some customer | account metadata and contact information was accessed, please be | vigilant for social engineering and phishing attacks. If not | already implemented, we encourage all customers to activate | phishing-resistant multi-factor authentication (MFA) and | regularly rotate passwords. MongoDB will continue to update | mongodb.com/alerts with additional information as we continue to | investigate the matter. | | Sincerely, Lena Smart MongoDB CISO | sampli wrote: | Yeah I received the same email. Luckily I don't actually use | mongodb atlas | 0xblinq wrote: | "Your data is safe, because we've never written it to disk." | satvikpendem wrote: | /dev/null is web scale | | https://youtube.com/watch?v=b2F-DItXtZs | webappguy wrote: | Mongo has made huge improvements tbf, but this is funny | belter wrote: | Asked 11 years ago and still going strong... "To what extent | are 'lost data' criticisms still valid of MongoDB?" - | https://stackoverflow.com/questions/10560834/to-what-extent-... | insanitybit wrote: | HN users would rather meme than read. | iaresee wrote: | We are completely locked out of our Atlas account and the support | portal right now. We Okta-auth with Mongo and all attempts to | auth right now are failing with "The request contained invalid | data." displayed on their login screen. | | Of course, the support portal requires you to auth to use it...to | get help with auth failing. | | Anyone else seeing issues getting in to their dashboard? | | Edit: Auth started working for us and dashboard access became | available for us around 5:15 pm ET. | alexzeitler wrote: | upstream request timeout when trying to sign in | iaresee wrote: | On our side, Okta is saying the auth is good. | | I'm trying my personal account as well and it's telling me | MFA isn't set up (it is) and it's making me go through the | MFA setup flow again. All attempts to setup another 2FA code | in 1Password or to get even an SMS code sent to my phone are | failing. | | Edit: Personal account with a TOTP 2FA is working again now | as well. | | This is feeling worse than they're letting on to. | alexzeitler wrote: | Sign in now worked once and sent me into the MFA setup loop | but it failed. | alexzeitler wrote: | this-is-fine.gif | ThePowerOfFuet wrote: | You really should not be using SMS for 2FA. | iaresee wrote: | You really aren't following along closely enough: all | other options were failing for me. | speedgoose wrote: | But you have setup SMS 2FA enabled, which is convenient | this time but a big security hole. You should consider | disabling it once the situation comes back to normal. | iaresee wrote: | > But you have setup SMS 2FA enabled | | No. I did not. Nor do I now. | | I had a TOTP setup in 1Password and Mongo was telling me | MFA _wasn't_ set up and sending me through the MFA setup | flow again. | | All options, SMS included, were failing in that MFA setup | flow they pushed me in to. | | They're back now and my existing TOTP token is generating | one time use passwords that work now. | salil999 wrote: | For my own knowledge, if the options were between using | SMS for 2FA or not having 2FA at all then what is better? | I've heard mixed things about this. | mtremsal wrote: | SMS 2FA is better than no MFA at all, despite the very | valid concerns about SMS. It at least protects against | credential stuffing and similar automated attacks. | calyhre wrote: | Same here with Google SSO | iaresee wrote: | We regained dashboard access around 5:15 pm ET. | meghan wrote: | MongoDB employee posting: | | The login issues are unrelated to the security incident. We | notified all of our customers and users concurrently resulting | in a spike in login attempts. Please try again in a few minutes | if you are still having trouble logging in. | | Please continue to monitor our alerts page: | https://www.mongodb.com/alerts | superduperer wrote: | Are they doing well? Seems like the hype has kind of died down. | WJW wrote: | They're apparently still growing quite rapidly, though the | company is not yet profitable. | superduperer wrote: | They can legally claim anything these days. No chance they | are growing. If they are claiming that it is fraud. | lolinder wrote: | Why come ask a question if you apparently have inside | information that contradicts the answers you get? | superduperer wrote: | My "inside information" is just basic knowledge of the | software industry. If MongoDB is growing is like claiming | Morbius is a good movie. It's just silly. Go ahead | disagree with be, but it's kinda silly. | WJW wrote: | They state these things in their quarterly filings with the | SEC, in which to my knowledge it is not legal to knowingly | misrepresent facts. If you have actual proof that MongoDBs | auditors are lying to the SEC, you can probably get a | pretty good whistleblower reward or at the very least make | a ton of money selling this money to hedge funds | specializing in shorting failing companies. | bushbaba wrote: | They are growing revenue which can be possible without | growing adoption | skatanski wrote: | Recent 7.0.0 version has dropped old and introduced quite | broken new query planner. Caused a lot of our queries to miss. | We've had the displeasure to work with the support on multiple | related issues. | bytearray wrote: | Yeah, as a company they pretty much dominate the NoSQL space. | 1B+/year in revenue and that market is still growing at like | 30ish% YoY or so. | cianigga wrote: | CEO just unloaded $100M worth of shares lately. | ceejayoz wrote: | He's been selling consistently for years. | https://finance.yahoo.com/news/insider-sell-mongodb-incs-pre... | stockocean wrote: | Has consistently been selling, but yeah quite a big unload | https://archive.is/aPcRF | mtremsal wrote: | This is almost certainly normal activity under a 10b-5 plan, | meant to protect specifically against suspicion of insider | trading, which is what you're implying. | goenning wrote: | I never used/tried MongoDB, what are the reasons people choose | MongoDB over other DBs? | salil999 wrote: | It's pretty easy to start with. MQL is also pretty easy to | understand + MongoDB kinda makes it fun. | | Note: I work at MongoDB | webappguy wrote: | What's the update internally here? How long this been going | on for? Any juice? | webappguy wrote: | Easy, flexible scheme nosql, plenty of baked in features. Has | it's place, and many times when it would not be a good choice | too. | 010101010101 wrote: | It was an early player when everyone thought NoSQL document | databases solved every problem. | jtriangle wrote: | They did solve many problems, and then they caused many more | problems... | | At first at least, haven't checked in on that in awhile | sgift wrote: | They haven't read https://jepsen.io/analyses/mongodb-4.2.6 and | therefore make the mistake thinking it's a good idea to use it | for some reason. It is not. I also never found any feature | which would want to make you use it in the first place, even | _if_ it weren 't a bug-ridden mess that probably eats your data | if you don't look, but maybe I didn't look long enough. | | (also discussed on HN at the time, for more examples of their | great quality. That they haven't paid for a thorough follow-up | analysis after their supposed fix is all one needs to know) | sigzero wrote: | So nothing has changed in the 3 years since that article? | chx wrote: | I am not sure what's going on with Jepsen any more. | | https://jepsen.io/analyses | | there were zero done in 2021, two in early 2022 and even | the footer copyright say 2022. | salil999 wrote: | I see this Jepsen link posted all the time. People: PLEASE | don't use outdated software. MongoDB has made mistakes and | they are public about their data issues on | https://www.mongodb.com/alerts. MongoDB 4.2.6 is old and I | believe it's approaching EoL based on | https://www.mongodb.com/support-policy/lifecycles | | I'm not going to push for you to use MongoDB but am merely | trying to provide some context around that Jepsen analysis. | lolinder wrote: | Based on that lifecycle doc, the 4.2 line is already EOL, | and 4.4 will be soon. | insanitybit wrote: | > That they haven't paid for a thorough follow-up analysis | after their supposed fix is all one needs to know | | As much fun as Jepsen is, I'd probably not follow up with a | company that turned my product into a mockery. I enjoy the | hell out of reading that report as an outsider, and I | personally would be a repeat customer, but I can see how a | company might not love the writeup. | Jonovono wrote: | It's a really great alternative to firebase for mobile apps. | Works pretty nicely with Realm so you get offline first db with | powerful syncing. All the benefits of realm on the edge device | with the power of the mongo platform. I dismissed mongo atlas | for years because "mongo", until I finally gave it a chance. | Overall been pretty pleased. | tgv wrote: | I use it on-prem (well, on a VPS). It stores JSON documents, | and it's easy to work with. If your data looks like a tree, it | works pretty well, also for large documents. If you depend on | relations between documents, you're better off with an SQL | database, but note that for many cases --I'd say practically | all mundane cases-- there's really no need for relations the | SQL way. MongoDB also does relations, but a bit more | convoluted. | bossyTeacher wrote: | Mongo is the main nosql choice. Mongo is great if you think a | flexible schema is good. Mongo is not great if you think a | flexible schema is bad. That sums it up | iLoveOncall wrote: | This is too reductive, you can essentially have flexible | schemas with most modern relational databases and without the | downsides of document-based DBs. | | In 99% of the cases, even if you need a flexible schema, | PostgreSQL will remain the best choice. | webappguy wrote: | Just got email alert ___________________________________________________________________ (page generated 2023-12-16 23:00 UTC)