In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.

As part of the Cyber Safety Review Board investigation of this incident, CISA issued a number of findings citing Microsoft’s negligence in securing their cloud infrastructure and make recommendations to both Microsoft and all cloud service providers.

From the CISA press-release:

“Cloud computing is some of the most critical infrastructure we have, as it hosts sensitive data and powers business operations across our economy,” said DHS Under Secretary of Policy and CSRB Chair Robert Silvers. “It is imperative that cloud service providers prioritize security and build it in by design."

Leveraging an unused account, the Russian APT Midnight Blizzard was able to pivot into Microsoft’s corporate Office 365 to access the emails of key executives and cyber-security employees. Midnight Blizzard was searching for what information Microsoft knew about themselves.

FTX, a crypto-currency exchange, found itself in bankruptcy. At the moment of the leadership transition, over $400 million in crypto-currency was transferred from FTX’s wallets. The FTX trustee management discovered many poor cloud practices during the unwinding process.

Football Australia, the national governing authority for the sport, embedded an AWS Access Key in their website that granted access to 126 S3 Buckets containing sensitive information for players and fans.

In March 2020, a cloud engineer was terminated from First Republic Bank and subsequently accessed their AWS & GitHub environment to cause damage.

An engineer at Retool fell victim to a social engineering attack that led to the compromise of an engineer’s MFA tokens and the account takeover of a small number of Retool customers.

Sumo Logic notified customers of an incident and recommended customers rotate credentials in their platform.

In 2022, LastPass suffered a series of breaches, eventually leading to customer password vaults being taken. This incident is notable because it is the first time we’ve seen evidence that a threat actor targeted a specific employee’s home network to capture privileged cloud credentials.

Welcome to the first breaches.cloud monthly update since going live in May. Not much has happened in the way of new breaches, but we did learn more from the FTC about public S3 buckets at Vitagene. I was busy organizing the fourth annual fwd:cloudsec conference in Anaheim, then attending AWS re:Inforce.

Vitagene is a consumer DNA sequencing company that the FTC fined for several deceptive privacy practices. As part of their investigation, the FTC determined that a few thousand customers’ DNA information was stored in public S3 buckets.