We're very sorry about this, we went into a little bit of a panic when we realized that we held IAM credentials that gave full access to peoples' EC2 accounts and did what we thought was best. In hindsight, we should have gotten ahold of Amazon immediately and let them manage that process.

You should have a support issue open in your AWS portal now, if you need any help getting new keys for other apps. If you can't find it hit us up at support@mongohq.com and we'll escalate.

Our application also had problems due to this. Would have been nice to receive a phone call or email.

Also I believe you should alert us as soon as you find out how long your servers have been compromised for.

As a company we are now trying to figure out how long our access tokens have been out in the wild.

You are 100% right on both points. We'll be updating our security page as we get more details, I expect we'll have some rough timeline information tomorrow.

Thanks. I appreciate being overly cautious when it comes to security rather than under cautious. And this has made us realize that we should have a unique profile for each service.

I am commenting without knowing the specifics of your application, so apologies if it doesn't apply.

You should look into using separate AWS keys for your DB backups and whatever it is your app uses those credentials for. This not only prevents any future availability issues because of key revocation, it also allows you to set fine grained permissions on your access keys limited just to what they're being used for.

We're enacting these changes at the moment. Thanks!