"We continue to find no evidence of unauthorized access to MongoDB Atlas clusters or the Atlas cluster authentication system. Our investigation and work with the relevant authorities is ongoing. MongoDB will update this alert page with pertinent information as we further investigate the matter.

At this time, as a result of our investigation in collaboration with outside experts, we have high confidence that we were victims of a phishing attack. Through our investigation, we have identified certain information that may be helpful to protect yourself against a potential attack by this unauthorized party:

Indicators of Compromise (IOCs)

The unauthorized party used the Mullvad VPN. Mullvad has many external IP addresses, and there are many VPNs that can be used to hide an IP address. In this case, we saw malicious activity coming from the following IP addresses: 107.150.22.47 138.199.6.199 146.70.187.157 179.43.189.85 185.156.46.165 198.44.136.69 198.44.136.71 198.44.140.133 198.44.140.199 199.116.118.207 206.217.205.88 66.63.167.152 66.63.167.154 87.249.134.10 96.44.191.132 We recommend using the above information to search your networks for suspicious activity. We are committed to being as transparent in this process as we can and providing information so you can assess risk in your network.

In regards to our previous guidance, here are instructions on how to enable phishing-resistant MFA on MongoDB’s native cloud authentication service. MongoDB Cloud also supports federating your identity from your IDP, please see here.

We have fielded questions from some customers about the authenticity of the e-mail titled: MongoDB Security Notice that our Chief Information Security Officer, Lena Smart, sent over the weekend from mongodbteam@mail1.mongodb.com. We can confirm that this email is legitimate."

https://www.mongodb.com/alerts