The hackers gained access to databases after stealing an employee's credentials

Oct 30, 2013 07:59 GMT  ·  By

On October 26, representatives of Buffer, the service that allows users to schedule the messages they post on social media websites, admitted being hacked. It turns out that the attackers breached the company through database service MongoHQ.

According to MongoHQ, the attackers gained unauthorized access to an internal support application by stealing an employee’s credentials.

The support application gave the hackers access to lists of databases, email addresses and hashed user credentials (bcrypt).

By using the support application’s “impersonate” feature, the cybercriminals could browse and manage MongoHQ customer databases.

MongoHQ plans on implementing two-factor authentication, VPN access and a permissions system to prevent further incidents. While these mechanisms are rolled out, many applications have been locked out or disabled.

In addition, Amazon Web Services credentials stored on their systems have been invalidated, and an IT security consulting firm has been called in to perform penetration testing.

MongoHQ advises users to change their database passwords and make sure there aren’t any unused, invalid or expired usernames.

The company is in the process of notifying customers whose databases have been accessed by the cybercriminals. One of the victims appears to be Buffer, whose customers had their social media accounts abused for spam.

Buffer CEO and founder Joel Gascoigne has confirmed that the attackers obtained the API tokens for Twitter and Facebook accounts by breaching MongoHQ. On the other hand, Gascoigne admits that the spamming attack against their customers is still their fault.

“If access tokens were encrypted (which they are now) then this would have been avoided. In addition, MongoHQ have provided great insights and have much more logging in place than we have ourselves. We’re also increasing logging significantly as a result,” he noted in a blog post.