MongoDB Security Incident Post Event Summary, January 23, 2024 MongoDB first informed customers in December 2023 about a security incident involving unauthorized access to certain corporate systems, including exposure of customer account metadata and contact information. The investigation confirmed that an unauthorized party never accessed MongoDB clusters or penetrated the Atlas cluster authentication system. A previously unknown flaw in a third-party application used by MongoDB staff enabled the phishing attack, which resulted in the acquisition of Single Sign-On credentials and a Time-based One-Time Password. The unauthorized party executed an Adversary-in-the-Middle attack to access data in corporate applications containing customer contact information and metadata. Within 24 hours, the standard session limits kicked in, and the unauthorized party lost access to most systems. However, they used their access to send targeted phishing messages to MongoDB employees, enabling them to regain access for a limited time. A MongoDB employee identified the fraudulent phishing messages and notified the security team, which immediately enacted its incident response plan. The investigation focused on determining the timeline of the event, the initial infection vector, and the number of impacted employees. To address the issue, MongoDB disabled the flawed application, reset user credentials, cleared active sessions, examined the environment to understand the breadth of activity, and reviewed security posture to prevent similar incidents in the future. The company strengthened its phishing-resistant multi-factor authentication policies and reiterates the importance of customers enforcing these measures.