MongoDB on Saturday disclosed it's actively investigating a security incident that has led to unauthorized access to "certain" corporate systems, resulting in the exposure of customer account metadata and contact information.

The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

It further noted that "this unauthorized access has been going on for some period of time before discovery," but emphasized it's not "aware of any exposure to the data that customers store in MongoDB Atlas." It did not disclose the exact time period of the compromise.

In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.


That's not all. The company said it's also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event, and that it was resolved as of December 16, 10:22 p.m. ET.

When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will "provide updates as soon as we can."

Update (as of December 17, 9:00 p.m. ET)

In a follow-up statement shared with the publication, the company said it found no evidence of unauthorized access to MongoDB Atlas clusters -

To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.

We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers' system logs were accessed.

We are continuing with our investigation, and are working with relevant authorities and forensic firms.

Update (as of December 18, 9:00 p.m. ET)

MongoDB, in an update to its advisory, said it was a victim of a phishing attack and that the malicious actor used Mullvad VPN to conceal their origins. It listed a total of 15 IP addresses from which the activity originated.

However, the company has yet to disclose when the attack took place, which systems were accessed, and how many customers' information may be affected by the breach of its corporate systems.

Update (as of December 20, 9:00 p.m. ET)

In a follow-up revision to its advisory, MongoDB said that the phishing attack allowed the unauthorized third party to gain access to some of the corporate applications used to provide support services to MongoDB customers. It also shared the contact information and related account metadata that were accessed from the compromised apps.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.