Database management firm MongoDB is investigating a security breach that exposed customer information.
In an alert published on its website Saturday (Dec. 16), the company said it was “actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information.”
The company said it detected suspicious activity Dec. 13 and immediately put its “incident response process” into action. MongoDB said in the alert that it suspects this unauthorized access had been happening for some time before it was uncovered.
The company updated its progress Sunday (Dec. 17), saying it had found no evidence of authorized access to its Atlas customers, a reference to its Database-as-a-Service offering.
“To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident,” the company said in the update. “It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.”
However, MongoDB said it had found unauthorized access to corporate systems that contain customer names, phone numbers and email addresses among other customer account metadata, including one customers’ system logs.
“We have notified the affected customer,” the update said. “At this time, we have found no evidence that any other customers’ system logs were accessed.”
MongoDB’s troubles come at the end of a year that has seen reports of several high-profile data breaches.
For example, Samsung last month disclosed a years-old, year-long breach of its system which led to unauthorized access to the data of customers who made purchases at its U.K. store.
The breach happened between July 1, 2019, and June 30, 2020, but the Korean tech giant only discovered it Nov. 13.
“We were recently alerted to a cybersecurity incident, which resulted in certain contact information of some Samsung U.K. eStore customers being unlawfully obtained,” the company told PYMNTS in November. “No financial data, such as bank or credit card details, or customer passwords, were impacted.”
“We have taken all necessary steps to resolve this security issue, including reporting the incident to the Information Commissioner’s Office and contacting affected customers,” the statement added.