If you read MongoHQ's extremely detailed report[0], you'll see that the original intrusion was based on shared credentials (that were cracked on another system). This was then exploited in a number of ways to compromise various clients of MongoHQ.
Lots more discussion over at [1].
The main takeaway is to take security seriously, and employ multiple levels of security. The MongoHQ team are doing things like 2 factor auth, and restricting customer service tools to a vpn. As far as I can see, no framework or coding bugs.
Lots more discussion over at [1].
The main takeaway is to take security seriously, and employ multiple levels of security. The MongoHQ team are doing things like 2 factor auth, and restricting customer service tools to a vpn. As far as I can see, no framework or coding bugs.
[0] http://security.mongohq.com/notice
[1] https://news.ycombinator.com/item?id=6637426