MongoHQ and Buffer security breaches blamed on weak password management

An employee’s poor choice of mixing personal and professional passwords leads to major data leak and widespread social media spamming. 


MongoHQ is a database-as-a-service provider that was founded in 2011 to provide hosted instances of MongoDB, a popular NoSQL database. They are a Y Combinator alum, and have many high-profile customers.

The password of one of MongoHQ's employees was stolen from a consumer site, either through a hack or through phishing. The employee happened to use the same password for their MongoHQ corporate SaaS applications. Hackers used the employee's password and logged in MongoHQ's admin tool, where they then accessed the data stored by many MongoHQ customers. 


A high-profile spillover/related attack is Buffer, a MongoHQ client. The MongoHQ hackers grabbed access tokens stored in Buffer's databases on MongoHQ and posted spam to 30,000+ Buffer users' Facebook and Twitter accounts. The hackers also hacked into Buffer's Github account and stole their codebase.


While Techcrunch described the event as "a major attack that reflects on the poor state of security in the startup community," we here at Bitium firmly believe it is merely a lack of education. Security is a tough business, so the places that are the easiest to focus on are sometimes the ones we overlook.  In the case of MongoHQ, hindsight affords us the vision to say confidently that their employee should not have mixed-use-passwords.

In actuality, the answer is much simpler: employees shouldn’t have to come up with their own passwords. In fact, they don’t even need to know passwords anymore--they just need access to their corporate applications. At Bitium, password and application management is just the beginning. Check out our other features, and stay tuned for more in our series about the nexus of SaaS and Security.