Bitium's Response to Heartbleed

What was the problem?

Late yesterday, OpenSSL, a major open-source security library, announced a serious security hole in their software. The security issue is known as the "Heartbleed" bug, named after the “heartbeat” feature that introduced the problem. A detailed writeup is available at and the issue has been assigned the identifier CVE-2014-0160 by

The security hole allows an attacker to read memory from an affected system via the normal SSL (secure) connection. As the exploit is conducted within the SSL protocol which is used to secure network connections for things like web sites, email servers, VPN’s etc… it is undetectable. An attacker using the exploit would in theory be able to read the secret keys used to establish the SSL connection and thus be able to decrypt other people’s secure traffic. In theory, any information you were sending to and from a “secure” website (i.e. passwords, bank account details, email text, etc…) is at risk of being snooped upon.

We also have a more detailed post about the vulnerability.


What is affected?

All Bitium servers are hosted in Amazon’s EC2 environment. While our servers were not vulnerable to the problem, Amazon’s load balancers and the servers at our CDN, EdgeCast, were vulnerable. We have been in discussions with both providers and have confirmed that both have applied the necessary patches to their systems in the last 24 hours.


What happens next?

We are in the process of rotating our SSL certificates under the assumption that the SSL secret keys might have been leaked. We will also reset all login and two-factor authentication (2FA) sessions, which will require users to re-verify their credentials.


What should our customers do? 

We strongly recommend that customers change their Bitium passwords as well as passwords for all other applications. While no passwords stored in Bitium are known to have been leaked, the vulnerability that allows this exploit has been in the wild for some time now, and it is possible that passwords used outside of the Bitium environment have been compromised.

Now would be a great opportunity for everyone to review the strength of their passwords and enable two-factor authentication on mission-critical applications.

We also suggest that customers talk to each of their SaaS vendors and verify that they have updated their systems.


Heartbleed OpenSSL Vulnerability

A serious security hole was found Monday in OpenSSL, an open source implementation of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols used by a vast majority of web servers. The new bug, given the technical name CVE-2014-0160, but dubbed "Heartbleed" by the community, has software vendors and security researchers scrambling to re-secure their systems.

What exactly happened?

On Monday morning researchers from computer security company Codenomicon, along with Neel Mehta, a security researcher for Google, disclosed a vulnerability that would allow attackers to compromise both in-transition and locally stored encrypted communications. This includes encrypted data such as login and password information, session keys for website logins, and message text.

The vulnerability is the result of a missing bounds check in the TLS heartbeat extension for SSL, leading to an arbitrary number of 64k blocks of server memory being exposed, with one block being accessed per TLS heartbeat request. A summary of the situation can be found at, and a more technical breakdown of what exactly went wrong has been provided by Sean Cassidy on his blog.

Who is vulnerable?

This vulnerability is present in OpenSSL versions 1.0.1 through 1.0.1f. It was first released into the wild on March 14th, 2012 with the public release of version 1.0.1. On Monday, April 7, 2014 OpenSSL released version 1.0.1g, which patches the vulnerability, but until major websites and vendors apply this patch to their own systems, a great deal of encrypted Internet traffic is still vulnerable. Unfortunately the vulnerability leaves no log traces on compromised servers, so the true extent of the exploit is unknown at this time. Researchers have set up honeypot servers to try to estimate the volume of this exploit in the wild, but no results have been released at time of writing.

This exploit compromises the version of OpenSSL found in the current versions of the Apache and Nginx web servers, which together account for roughly 66% of all websites. Many Linux-based operating systems are vulnerable as well, including the current versions of Debian, Ubuntu, CentOS, Fedora, OpenBSD, FreeBSD, NetBSD, and OpenSUSE, which again represent a large majority of the servers underpinning the web today.

Even patching an individual site or program’s version of OpenSSL is not a complete fix, because any information transmitted may be relayed through compromised servers, allowing interception at those points. Security researchers have already demonstrated access to plaintext Yahoo usernames and passwords. Users can test individual sites to see if they are vulnerable to this exploit by entering the web address at

What can be done?

Individual users and software vendors can take steps to limit their vulnerability, but your data will not be safe unless it is encrypted before transmission and every link in the transmission chain has been secured.

Individual users can take a number of steps to limit their exposure to this vulnerability:

1. Change your passwords.

Given how long this exploit has been in the wild and how pervasive it could have been users are advised to change ALL of their passwords immediately. We realize that this is quite a task for most of us in today’s world, but it’s better than potentially exposing your accounts and data. For more tips on crafting good passwords, feel free to check out our previous blog post.

2. Clear your session keys

The exploit also allowed the interception of session keys for login. These are how your browser maintains login credentials for websites you may have navigated away from and come back to, and could allow an attacker to impersonate you on those websites. These credentials can be flushed from any browser. In Chrome, for example, you would navigate to Menu > Settings > Advanced settings > Clear browsing data, and clear the session and cookie data. You will need to clear ALL session and cookie data, as any of this could have been compromised at some point.

3. Check the websites you are using.

Before you enter credentials for the next few days, first test the websites out at Most major sites are either already patched or will be by this evening, but Yahoo at least was still vulnerable as of this morning. Better safe than sorry for the next few days.


Vendors need to follow the steps above as well, but additionally need to make sure their products and deployment systems are clean:

1. Update OpenSSL immediately.

You can check your SSL version at the command line by entering openssl version. If you are still using a vulnerable version, i.e. anything from 1.0.1 through 1.0.1f, either update to 1.0.1g or, if updating isn’t an option, recompile openssl with the compile time option -DOPENSSL_NO_HEARTBEATS

2. Request re-issue of any x.509 certificates you are using.

Any vendor that provided you with x.509 certificates can invalidate your old certs and re-issue new credentials. This is essential to do as soon as your system has been secured.

3. Scour your information pipeline.

Who processes your data? Where does it come from? Are you sending unencrypted information through someone else’s server? Know all of the points of your data pipeline and check each one. Any single hole invalidates the entire pipeline and may leave you liable for risking your customer’s data.

4. Assume your data has been compromised.

While we can plug the existing holes, there is no putting the spilt milk back in the jug. If you find that you had these vulnerabilities anywhere in your data pipeline you should act as if your data and credentials were compromised, and behave accordingly.



10 Tips to Make Your Passwords Ridiculously Hard to Hack

Many of us have felt the pain of having an online account hacked. With several high profile breaches of major companies this year (remember Yahoo! and Target), now is the time to review the strength of your online passwords. To help, Bitium has compiled a list of ten tips for creating a more secure password. Adopting some of these will go a long way towards keeping your personal information safe.

Click the button below to download Bitium's Top 10 Tips For a More Secure Password


Ethereum is the Bitcoin technology that's even more important than the currency

You've probably heard of Bitcoin by now, but have you heard of Ethereum?

If you have twenty minutes to watch a video about Bitcoin, this is the one to watch. It's for both programmers and non, explaining how Bitcoin works in a way everyone can understand. The main take away is we finally have a way to trust people without having to trust anyone. Wait. What?

Before the Bitcoin breakthrough there was only one way to trust people: trust a company to police everyone. You may not trust the dude sending you money on PayPal, but you trust PayPal. In a post-Bitcoin world, now you can trust someone sending you money without a company like PayPal; kind of like the internet itself. No one company runs the internet.  Words like "distributed" and "decentralized" get tossed around haphazardly, but take a minute and think about how fundamental of a shift Bitcoin has made with money, and then let's talk about Ethereum.

Aren't there lots of things in our lives controlled by a single company because that was our only option? Domain registration is a good example. Of course one central authority must be the gatekeeper to answer the question who owns the domain ,right? Or is ICANN acting like the company PayPal in the previous example?

How about storing a file on the cloud? You need Dropbox right?  They will manage controlling who has access to the file and control your amount of storage right? Or is Dropbox like PayPal and ICANN?

Ethereum turns everything we know about trust upside down. Bitcoin, the currency, is just one example of removing a central authority. But the far more important point about the success of Bitcoin is how this is just the beginning, and howwe are going to do this over and over again for everything--not just currency.

I'm not saying PayPal, ICANN, and Dropbox are going away. These companies will change and adapt to this new world and this transition will take many years. Dropbox might offer new services that help you store files in a different way once the trust issue changes.

Here at Bitium we think about enterprise identity access management. Your company has many employees, all using many different cloud apps, each with its own username and password. Employees come, employees go, and passwords sometimes don't follow. Right now Bitium acts like PayPal and ICANN, in that we ask that you trust us to manage your passwords and (even though I'm biased) it's a good deal. Not using a system like Bitium puts you in an even worse position vis-à-vis security.

But in a world with Ethereum, where is enterprise identity access management heading? We should be able to offer you the current feature set of Bitium without asking for your trust. How exactly that works is what we are working on today. Oh and we're hiring.


Bitium Goes to AdTech


AdTech is fast approaching and if you are anything like us, than you can’t wait to get into that enormous convention center and learn about the latest and greatest in marketing and advertising. We love to hear about what you are doing because it helps us iterate on our already amazing product to better help you manage your web-based tools. 

We are excited about AdTech because we can’t wait to show you why Bitium is the BEST cloud application management solution on the market and the ONLY solution built for marketers. Time and time again we are told by our agency clients and marketing teams that they didn’t know how they functioned before Bitium.   


We aren’t surprised…

There are so many web-based (or SaaS) tools out there that were created to help us do our jobs more efficiently, but as the catalog of tools grows, so does our list of passwords, access points, and the headache that goes along with that. Here at Bitium we felt that pain too.  In this adapt or die landscape, forward thinking marketers are looking to leverage the power of cloud apps without the hassles.  



Bitium is the only application management solution for marketers.  We provide password, identity, and app management for over 1,750+ applications. 

So, what does a Cloud Nirvana look like?  Good question, we are glad you asked.   It means having the ability to:

  • Share access to apps, not passwords
  • Access your client’s apps without ever knowing their credentials
  • Organize apps and users into groups that meet your needs
  • Gain actionable insights into your companys app usage, user behavior, and password security

Companies that solve these issues will be in the best possible position to execute on business objectives.

If you are at AdTech, come to booth 2448 and see us for a live demo, some sweet schwag or to talk about your organization and how Bitium can fit in. You can always sign up for a free demo on our website here



The World's Biggest Data Breaches of 2013

2013 was a year of many things...

Some great:

Some less great:

  • Yahoo bought Tumblr.
  • Apple redesigned its iOS

Some interesting: 

And some downright nefarious:

With the ever-changing landscape of the enterprise and cloud computing, these companies got hit the hardest in 2013… 

The World's Biggest Data Breaches & Hacks of 2013 INFOGRAPHIC.jpg

Bitium 2448 Main Street Santa Monica, CA 90405

Bitium Raises $6.5 Million Series A Financing Led By Polaris Partners

Enterprise Software Company to Accelerate Growth and Continue Product Development in App Management and Single Sign-On 

SANTA MONICA, CA, FEB. 26, 2014 – Bitium, an enterprise software company that provides app management, single sign-on and analytics for more than 1,500 cloud-based apps allowing companies to securely manage their software catalog, announced today that it has raised $6.5 million in Series A funding from Polaris Partners. The round includes participation from previous investors including Amplify, Resolute VC, Double M Partners, Social Leverage, Karlin Ventures, Lazerow Ventures and Rob Glaser. Polaris Managing Partner Dave Barrett has joined Bitium’s board of directors. The new capital will be used to continue the company’s rapid growth in the app management and single-sign-on space, accelerate product development and expand sales and marketing activities.

Bitium’s app management platform helps organizations manage their growing list of SaaS apps with single sign-on and permissions management. As a result of the converging trends of bring-your-own apps (BYOA), bring-your-own device (BYOD), the consumerization of the enterprise and the inevitable move to the cloud, companies are left with little visibility of the apps their employees use and few tools to manage those apps. Bitium solves this with a solution that allows for flexible employee adoption while securely managing cloud-based software.  

Bitium’s core features include:

  • Fixed pricing model 
    • This includes unlimited apps and users – allowing universal adoption across the entire company.
  • Identity access management/single sign-on
    • Bitium users can access more than 1,500 cloud-based apps with a single sign-on and can grant and revoke application access to employees in one click – including app provisioning. 
  • Secure partner provisioning 
    • Bitium is the only company that lets companies request and grant access to corporate accounts on behalf of partners without sharing passwords. 
  • App insight and auditing
    • Bitium’s proprietary grading scale rates user passwords (A to F) based on strength and how easily it could be breached, giving IT a quick view into enterprise security.
    • Bitium’s reports create insights into apps that are assigned to specific employees but not being used, allowing managers to save money by shutting off unused accounts.

"As software moves to the cloud at a rapid pace, we are poised to continue our rapid expansion and Polaris and Dave understand the importance of an open adoption model for enterprises. Their expertise is going to be an asset as we drive product growth, sales and marketing,” said Scott Kriz, CEO Bitium. “Companies are seeing that by empowering employees with Bitium, the role of IT is changing from gatekeeper to curator. We enable companies to realize long-term strategic advantages over their competition with increased efficiency and agility, by allowing them to focus on their core business instead of locking down the organization for the sake of security.”

“As spending on enterprise technology continues to rise, the demand for systems that manage disparate apps and devices looms large – Gartner predicts that worldwide IT spending is on pace to reach $3.8 trillion in 2014,” said Barrett. “Bitium has built a product that not only solves a major issue for organizations of all sizes, but also provides a superior user experience to other products on the market.  We are still at the beginning stages of a SaaS revolution that will impact web and mobile users for the next generation, and Bitium is well positioned with a compelling strategy, stellar product platform and world-class technology team.”


About Bitium

Bitium is an enterprise software company that provides app management, single sign-on and analytics for more than 1,500 cloud-based apps, including Google Apps, collaboration tools, CRM, social networks, accounting programs, bug trackers, customer service dashboards, marketing tools and more. Bitium was founded in 2012 by Scott Kriz and Erik Gustavson and is funded by Polaris Partners and a group of strategic investors in the enterprise cloud space. Bitium is headquartered in Santa Monica, CA.


Apple Security Alert: "Gotofail" SSL Bug

Over the past week, Apple has released critical security updates for iOS and OS X (including Lion, Mountain Lion, and Mavericks) users--this means all iPhones, iPads and Mac desktop and laptop machines with recent OSes installed.

These updates are crucial as they address a number of serious security bugs, including the recent SSL/TSL vulnerability (AKA "gotofail") that could allow an attacker ("man-in-the-middle") to intercept secure connection data on a local network. This "gotofail" vulnerability is exploitable by anyone on the same wired or wireless network as the victim, and enables the attacker to masquerade as a trusted site, such as your bank or email provider, and allows them to intercept any data sent between the victim and intended site. Security experts have already created proof-of-concept exploits, and they speculate that similar, less benign apps are already loose in the wild. Given the target-rich scope of the systems affected, these attacks will likely become prevalent in the coming days. offers updated information about the issue and patches, as well as a quick test to see if your system is vulnerable.



Update your Apple devices and systems as soon as possible to the latest available versions (7.0.6 for iOS, 10.9.2 for Mavericks, and Security Update 2014-001 for Lion/Mountain Lion). The updates are available for iOS and OS X through Apple's Software Update service, accessible from the Apple menu, or from the "Updates" section of the App Store. The updates are also available from Apple's support downloads site. As always, be sure to fully backup your system before applying any of these updates.

Do not use untrusted networks (especially WiFi) until you can update your devices over a trusted network. On unpatched devices, set “Ask to Join Networks” to OFF, preventing them from asking to connect to untrusted networks.



IBM Shifting from Human Capital to Cloud


IBM announced several big moves today including their acquisition of Cloudant, increased investment in the cloud and a new partnership with Governor Cuomo on a state-run IT center. After seven consecutive quarters of declining revenue and IBM stock dipping nine percent over the past year, major changes to their current business model come as no surprise.

Why Would IBM Move to the Cloud?

For IBM, moving away from costly on-premise hardware and software installations to invest in the cloud means a more self-service computing environment to host its second-largest revenue-generator: software. According to Quentin Hardy of the New York Times, not only does software bring in $25.9 billion of the company’s $99.8 billion in 2013 revenue, but it also draws most of the company’s services business. IBM’s acquisition of Cloudant serves the same purpose, offering database-as-a-service, and consolidates their long-standing relationship.

For IT professionals, this narrative is familiar. Cloud solutions are continually applauded for their ability to give companies a competitive edge by allowing for leaner, more agile business models. Moving to the cloud means companies can shift resources away from costly or unnecessary infrastructure installations and re-focus them on the company’s main business offerings.

The Shift Away from 'HUMAN'

The new storyline popping up in today’s announcement is the potential for cloud solutions to replace human capital. Some of the most fervent cloud devotees are small to medium-sized start-ups and their business models don’t have clunky on-premise solutions to cut out of the equation. As larger, more established enterprises like IBM re-purpose resources to the cloud, the shift could create a wave in the market, a wave with layoffs in its wake.

How to Protect the Enterprise.

Regardless of the effects, migration to the cloud is ramping up and tools like Bitium help you make the transition by offering essential tools like password management, single sign-on and direct integrations between various apps. Find out how Bitium unlocks the cloud.


5 Ways to Protect Your Digital Identity

Recent headlines about major security breaches at Target and Yahoo! Mail highlight the risk of having your personal data online.  These events are a reminder of how critical it is to take steps to protect your digital identity.  According to a recent study from Microsoft, the average person has 25 online accounts and 66% of consumers use the same one or two passwords for all of their log-ins.  It only takes one account to get hijacked for a hacker to access all of your personal and financial information.

Here are five ways to reduce your risk:

1. Use an online password generator for maximum security - The best passwords consist of random numbers, upper and lower case letters, and special symbols.  Use any of these five options to find an auto-generated password for each of your online accounts.  

2. Bolster your answers to security questions - Traditional security questions are often easy to crack, but you can personalize your answers by adding extra characters to the end of your response.  Make it something very specific that only you would know.

3. Browse in “Incognito’ (Google Chrome) or Private (Mozilla Firefox) modes.  This way, if your computer, tablet, or mobile device is stolen you can ensure that your web history and passwords aren’t saved for someone else. This will also disable the browser’s keychain functionality that saves passwords and login credentials.

4. Check https security on any website where you are entering personal information - The ’s’ after the ‘http’ means that that site is verified and secure.  

5. Set automatic updates for your operating system to ensure that you always have the latest security patches.    

Additionally, using a product like Bitium reduces the risk that your passwords and confidential data will fall into the wrong hands.  Bitium is a single sign-on solution that allows users to input passwords for all of your web apps one time without having to enter it again.  This gives you the ability to create a different, secure password for each of your apps without having to remember them because Bitium takes care of logging you in. If you ever need to see your passwords, Bitium has a secure process that allows you to view app passwords, if you need to.

Don’t let cybercriminals destroy your identity or hack into your applications. These simple steps will help keep your information safe.  

See the article here from Entrepreneur that talks about protecting small businesses from cyber-attacks.


Bitium Does Yoga on the Beach at Sunset.

Picture yourself here.... 

Santa Monica Beach Park. Sunset. February 13, 2014.

Santa Monica Beach Park. Sunset. February 13, 2014.

Yes. On the beach at sunset in Santa Monica, California.  If you worked at Bitium you could live this dream.  You could be on this beach.  You could do this... 

The Bitium Team does Yoga on Santa Monica Beach at Sunset.

The Bitium Team does Yoga on Santa Monica Beach at Sunset.

That's right. You could do yoga. On the beach. In February. And get paid for it. Well, you wont be getting paid for the yoga, unless you can do something like this, but you know what I mean. 

We believe in the mind, the body, and the spirit.  We believe in the holistic approach to life and work. That's why we work hard and we play hard. We support the pursuit of hobbies outside of work and introduce our team to new things by organizing group activities like this. If you are ready to do some Downward Facing Dog with us then check out our jobs page here!


Yahoo! Mail Hack – Don’t Let this Happen to YOU

Security Breach Compromises User's Accounts & Information

Last week, names and passwords of Yahoo Mail users were hacked and used to gather personal information about people with whom those users had recently corresponded.  Yahoo responded quickly by alerting users of the breach. They also required  a password reset and used a two-step verification on the accounts that were hacked.  A Yahoo blog post "important security update for Yahoo Mail users" further identified what Yahoo is doing to remedy the situation and outlines what users can do to keep their accounts secure.

Many of the most recent security breaches are a byproduct of users’ passwords being accessed through other services and hackers using this information to gain entry to their accounts. With the proliferation of SaaS and the vast amounts of personal information and data that is stored in the cloud, many organizations are leaving themselves even more vulnerable to a breach.  Inevitably, users are using the same passwords across all of their SaaS applications and as adoption increases, both in and out of the enterprise, so does the threat of a breach.  Many users say that it’s not plausible for users to remember 40+ different passwords for their various applications.

There is a solution!

Single sign-on solutions like Bitium go a long way to protect corporate data and preventing security breaches like Yahoo experienced. Bitium allows companies to request and grant access to corporate accounts on behalf of partners without sharing passwords. This reduces the transfer of passwords and usernames while allowing internal and external teams alike to collaborate in order to reach their goals. Bitium also allows users to set a password for any application and never have to access it again.  Users can find an auto-generated password through a number of 3rd party apps (Mashable compiled a list here) and after provisioning the app in Bitium, the information is securely stored and never has to be used again. If you need to see what your password is for any reason, there is a secure access dashboard where you can view the passwords that you have entered (more info here). 



While cyber-criminals continue to advance, so do the measures and applications that keep individuals and companies information secure.  Research the best solution for your organization and take every precaution to ensure you are not a target. 

If you want to learn more about “opening up the cloud” and securing your businesses or your personal identity / data, sign up for a free webinar or request a live demo here.  


Is IT in the Dark About Cloud Usage?

The growing number of cloud based applications used by employees is giving ITdepartments a headache.  With employees adopting a range of cloud based tools to assist in their day to day jobs, IT professionals can’t keep up with the number of cloud apps in their system and face a growing security challenge. In industries where collaboration is key, how does a business stay safe? 

There are countless apps available to help you stay better organized and hence be more efficient in your work.
— Idiva, How to Use Mobile Apps to Increase Efficiency

Efficient Worker, Inefficient Enterprise.

Allowing individual employees to use whatever apps they want creates huge challenges for IT departments, who aim to provide organizational guidelines and infrastructure for supporting the myriad apps that employees use.   A new report highlights and categorizes the most popular cloud apps used in the enterprise.  Employees are finding solutions in the cloud for marketing, HR, storage, CRM/SFA, and collaboration.  The typical enterprise uses 397 apps and many of these are not enterprise-ready, exacerbating the challenge of IT departments.  Additionally, IT is also not aware of the full extent of cloud app usage in their organizations. 


On average IT professionals underestimated cloud app use in their organizations by 10X, with the typical enterprise using 397 apps.

Users Feel the Pain Too

Think about the number of apps that you use on a daily basis: along with personal apps like Instagram, Twitter, and LinkedIn, you might also have access to your department’s shared Twitter, Facebook, Dropbox, Yammer, or Salesforce accounts. When you first joined your company, how long did it take you to gain access to all these programs? How many passwords do you have to use every day? Do you find that you’re spending lots of time uploading, sharing and downloading things? Isn’t there a better way?

Solution: The SaaS Operating System

Bitium was created to help IT managers and users harness the benefits of the cloud while reducing operational risks and headaches. With Bitium, users have the freedom to access the apps that help them do their jobs and manage their lives, all from a single sign-on platform. IT managers can easily grant user groups access to a set of apps, track business app usage, and gain key insights into which programs are business-critical. With hundreds of integrated apps and counting, Bitium aims to be the leading SaaS operating system. Learn more about their product and pricing, and how they can help your organization come out of the dark and into the cloud. 



Product Demo: Password-free App Access Sharing Between Organizations

Bitium's cross-organization app sharing feature allows members of one organization to access an app on behalf of a person from another organization, without ever knowing the account password or credentials.

Check out this video to see how to setup password-free cross-organization app sharing.

Visit our Support Center for more information about this process, or see the Bitium site for more information about our product.

Which other features would you like to see demoed?


Product Demo: Using the Message Center

The Message Center collects messages from your Apps in one place, and allows you to filter them in powerful ways, helping reduce clutter in your email inbox.

Watch this video for a demo of the Bitium Message Center features.


Visit our Support Center for more information about this process, or see the Bitium site for more information about our product.

Which other features would you like to see demoed?


Product Demo: Create and Manage Groups

Using Groups makes managing app access across entire departments a snap. Organize users into groups and quickly give them access to the apps they need. 

Watch this demonstration to see how to create and manage groups for your organization in Bitium.


Visit our Support Center for more information about this process, or see the Bitium site for more information about our product.

Which other features would you like to see demoed?


MongoHQ and Buffer security breaches blamed on weak password management

An employee’s poor choice of mixing personal and professional passwords leads to major data leak and widespread social media spamming. 


MongoHQ is a database-as-a-service provider that was founded in 2011 to provide hosted instances of MongoDB, a popular NoSQL database. They are a Y Combinator alum, and have many high-profile customers.

The password of one of MongoHQ's employees was stolen from a consumer site, either through a hack or through phishing. The employee happened to use the same password for their MongoHQ corporate SaaS applications. Hackers used the employee's password and logged in MongoHQ's admin tool, where they then accessed the data stored by many MongoHQ customers. 


A high-profile spillover/related attack is Buffer, a MongoHQ client. The MongoHQ hackers grabbed access tokens stored in Buffer's databases on MongoHQ and posted spam to 30,000+ Buffer users' Facebook and Twitter accounts. The hackers also hacked into Buffer's Github account and stole their codebase.


While Techcrunch described the event as "a major attack that reflects on the poor state of security in the startup community," we here at Bitium firmly believe it is merely a lack of education. Security is a tough business, so the places that are the easiest to focus on are sometimes the ones we overlook.  In the case of MongoHQ, hindsight affords us the vision to say confidently that their employee should not have mixed-use-passwords.

In actuality, the answer is much simpler: employees shouldn’t have to come up with their own passwords. In fact, they don’t even need to know passwords anymore--they just need access to their corporate applications. At Bitium, password and application management is just the beginning. Check out our other features, and stay tuned for more in our series about the nexus of SaaS and Security.