Public Cloud Security Breaches Documenting their mistakes so you don't make them.

Retool MFA

An engineer at Retool fell victim to a social engineering attack that led to the compromise of an engineer’s MFA tokens and the account takeover of a small number of Retool customers.

Sumo Logic 2023

Sumo Logic notified customers of an incident and recommended customers rotate credentials in their platform.

LastPass

In 2022, LastPass suffered a series of breaches, eventually leading to customer password vaults being taken. This incident is notable because it is the first time we’ve seen evidence that a threat actor targeted a specific employee’s home network to capture privileged cloud credentials.

Office 365 (2023)

In July of 2023, Microsoft disclosed a compromise of Exchange Online that targeted “25 organizations … including government agencies as well as related consumer accounts of individuals likely associated with these organizations.” The vector of compromise was several validation flaws in the Microsoft-hosted Exchange Online and AzureAD services.

FTX Bankruptcy

FTX, a crypto-currency exchange, found itself in bankruptcy. At the moment of the leadership transition, over $400 million in crypto-currency was transferred from FTX’s wallets. The FTX trustee management discovered many poor cloud practices during the unwinding process.

Breaches Update - June 2023

Welcome to the first breaches.cloud monthly update since going live in May. Not much has happened in the way of new breaches, but we did learn more from the FTC about public S3 buckets at Vitagene. I was busy organizing the fourth annual fwd:cloudsec conference in Anaheim, then attending AWS re:Inforce.

Vitagene

Vitagene is a consumer DNA sequencing company that the FTC fined for several deceptive privacy practices. As part of their investigation, the FTC determined that a few thousand customers’ DNA information was stored in public S3 buckets.

Ubiquiti (2020)

In December of 2020, Ubiquiti suffered a breach at the hands of an employee. This employee masked his presence via a VPN and was able to clone the company’s GitHub repository and alter logs in AWS to hide their presence and evidence of the breach. After the attacker leaked false details of the attack to a well-known security blogger, Ubiquiti’s stock lost 4 billion dollars in value.

BrowserStack

In November 2014 BrowserStack, a cloud testing platform for cross-platform testing of different applications, was breached through an old prototype machine that had not been updated and was vulnerable to the shellshock exploit. The attacker created an IAM user and generated a keypair. The attacker accessed the email list and used AWS Simple Email Service to send emails to 5,000 users falsely stating BrowserStack was shutting down.

DataDog (2016)

In July 2016, SaaS provider DataDog suffered a breach affecting its AWS customers. The breach stemmed from an attacker targeting production infrastructure servers and a database that stores user credentials. AWS users who attempted to use AWS credentials shared with Datadog also reported issues. DataDog immediately mitigated and notified users of the breach and ensured any precautions needed to be taken.