Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Office 365 (2024 - Midnight Blizzard)

Leveraging an unused account, the Russian APT Midnight Blizzard was able to pivot into Microsoft’s corporate Office 365 to access the emails of key executives and cyber-security employees. Midnight Blizzard was searching for what information Microsoft knew about themselves.

Football Australia

Football Australia, the national governing authority for the sport, embedded an AWS Access Key in their website that granted access to 126 S3 Buckets containing sensitive information for players and fans.

FTX Bankruptcy

FTX, a crypto-currency exchange, found itself in bankruptcy. At the moment of the leadership transition, over $400 million in crypto-currency was transferred from FTX’s wallets. The FTX trustee management discovered many poor cloud practices during the unwinding process.

First Republic Bank

In March 2020, a cloud engineer was terminated from First Republic Bank and subsequently accessed their AWS & GitHub environment to cause damage.

Retool MFA

An engineer at Retool fell victim to a social engineering attack that led to the compromise of an engineer’s MFA tokens and the account takeover of a small number of Retool customers.

Sumo Logic 2023

Sumo Logic notified customers of an incident and recommended customers rotate credentials in their platform.

LastPass

In 2022, LastPass suffered a series of breaches, eventually leading to customer password vaults being taken. This incident is notable because it is the first time we’ve seen evidence that a threat actor targeted a specific employee’s home network to capture privileged cloud credentials.

Office 365 (2023)

In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.

Breaches Update - June 2023

Welcome to the first breaches.cloud monthly update since going live in May. Not much has happened in the way of new breaches, but we did learn more from the FTC about public S3 buckets at Vitagene. I was busy organizing the fourth annual fwd:cloudsec conference in Anaheim, then attending AWS re:Inforce.

Vitagene

Vitagene is a consumer DNA sequencing company that the FTC fined for several deceptive privacy practices. As part of their investigation, the FTC determined that a few thousand customers’ DNA information was stored in public S3 buckets.