The Operations team at MongoHQ has been working diligently, since yesterday, to correct any exposure that our systems had to the OpenSSL "Heartbleed" vulnerability. We want to share our progress as well as steps that you can take to protect yourself going forward.
More on the OpenSSL Vulnerability
By now, you are probably well-aware of this vulnerability and can skip this section, but if not, "Heartbleed" (CVE-2014-0160), is a vulnerability in the extremely popular OpenSSL crypto library, allowing nefariously-minded people to view snippets of the memory content of servers. Most of the Internet uses this library to communicate, privately, with itself. So, if communication that was intended to be private/secure is no longer that way, it's a really big deal.
Our Operations team has no evidence that this vulnerability has been used against any of our services. However, such an attack would be very difficult to detect. Therefore, we have (and we are encouraging you to do the same) moved forward with increased scrutiny of the possibilities.
What was affected?
- Public-facing MongoHQ web applications delivered over SSL.
- A few specific server environments
- Customers using a vulnerable version of OpenSSL with MongoDB.
For these systems, we have corrected all potential vulnerabilities and have worked with our hosting providers to ensure that their systems have been updated as well.
So, what did we do?
Here is a list of the steps we took (and are actively taking) to correct the vulnerability.
- Deployed updated versions of OpenSSL to any affected server environments.
- Replaced vulnerable versions of OpenSSL that Mongo processes were using and restarted those Mongo processes.
- We are working to cycle new certificates and expire/reject old ones.
- We are force-expiring web sessions to MongoHQ web applications.
Now, what you can do
We are encouraging all our users to act with caution. This isn't to cause alarm, but we want people to know the facts. This is what you can do:
- Reset your MongoHQ web passwords.
- Reset your MongoHQ database passwords.
- Enable Two-Factor Authentication for your MongoHQ account.
As a side note, Two-Factor Authentication offers increased protection from vulnerabilities like the Heartbleed issue, since it prevents a login with a password alone, and requires a time-based token using a pre-shared seed to log in. We strongly recommend you enable this feature for you and your team.
Please note: While it is not mandatory that passwords be changed and there is no indication that the "Heartbleed" exploit was utilized against our systems, changing passwords is encouraged. Plus, it's just good practice anyway.
We're here to help!
If you have additional questions or concerns about this event, please reach out to us. You can contact us via Twitter (@mongohq) or via email, at: firstname.lastname@example.org. Our team would enjoy the opportunity to interact.
We will, of course, keep you up-to-date on any changes or new developments. We encourage you to follow us on twitter and keep an eye on our blog for additional information.