[iaresee]

We are completely locked out of our Atlas account and the support portal right now. We Okta-auth with Mongo and all attempts to auth right now are failing with "The request contained invalid data." displayed on their login screen.

Of course, the support portal requires you to auth to use it...to get help with auth failing.

Anyone else seeing issues getting in to their dashboard?

Edit: Auth started working for us and dashboard access became available for us around 5:15 pm ET.

[meghan]

MongoDB employee posting:

The login issues are unrelated to the security incident. We notified all of our customers and users concurrently resulting in a spike in login attempts. Please try again in a few minutes if you are still having trouble logging in.

Please continue to monitor our alerts page: https://www.mongodb.com/alerts

[asdfsadfkljlkj]

I mean that totally sounds related (hah!) although I guess we all know what they mean

[cowthulhu]

That’s a funny point, I guess I never really though of whether “related” was more correlation or causation.

[alexzeitler]

upstream request timeout when trying to sign in

[iaresee]

On our side, Okta is saying the auth is good.

I'm trying my personal account as well and it's telling me MFA isn't set up (it is) and it's making me go through the MFA setup flow again. All attempts to setup another 2FA code in 1Password or to get even an SMS code sent to my phone are failing.

Edit: Personal account with a TOTP 2FA is working again now as well.

This is feeling worse than they're letting on to.

[alexzeitler]

Sign in now worked once and sent me into the MFA setup loop but it failed.

[ThePowerOfFuet]

You really should not be using SMS for 2FA.

[salil999]

For my own knowledge, if the options were between using SMS for 2FA or not having 2FA at all then what is better? I've heard mixed things about this.

[mtremsal]

SMS 2FA is better than no MFA at all, despite the very valid concerns about SMS. It at least protects against credential stuffing and similar automated attacks.

[wyldfire]

I guess I've always cynically assumed that companies want my phone number to make the data they gather more valuable by making it easier to link with a unique index like a phone number.

[rezonant]

Well a simswap attack requires the account password, since otherwise you would not be able to receive an SMS message for the two factor part.

But without two factor, only your account credentials are needed.

So yeah, it's definitely better than nothing, you are effectively forcing your opponent to social engineer your carrier, and doing that generally requires knowing the full number and usually at least your name, if not more identifying information that's harder to get, like social security number or equivalent.

Sure, TOTP or other two factor mechanisms are better because they require access to one of your authenticated devices (assuming the TOTP isn't done by a secure enclave), but SMS two factor is definitely better than disabling two factor.

[iaresee]

You really aren't following along closely enough: all other options were failing for me.

[speedgoose]

But you have setup SMS 2FA enabled, which is convenient this time but a big security hole. You should consider disabling it once the situation comes back to normal.

[iaresee]

> But you have setup SMS 2FA enabled

No. I did not. Nor do I now.

I had a TOTP setup in 1Password and Mongo was telling me MFA _wasn't_ set up and sending me through the MFA setup flow again.

All options, SMS included, were failing in that MFA setup flow they pushed me in to.

They're back now and my existing TOTP token is generating one time use passwords that work now.

[calyhre]

Same here with Google SSO

[mdaniel]

Seeing that reminded me of this recent onoz, which one should fold into their threat model: https://trufflesecurity.com/blog/google-oauth-is-broken-sort... <https://news.ycombinator.com/item?id=38670644>

[iaresee]

We regained dashboard access around 5:15 pm ET.