Incident Details

In July 2016, SaaS provider DataDog suffered a breach affecting its AWS customers. The breach stemmed from an attacker targeting production infrastructure servers and a database that stores user credentials. AWS users who attempted to use AWS credentials shared with Datadog also reported issues. DataDog immediately mitigated and notified users of the breach and ensured any precautions needed to be taken.

Incident

Details of the Incident

In July 2016, DataDog suffered a security breach. In a statement by DataDog, they say that the attacker gained access through a leak of an AWS access key and a SSH private key that were used by their automated provisioning and release systems. The usage of both keys together allowed for unauthorized access to three of their AWS EC2 instances and a subset of their AWS S3 buckets. The resources breached included user credentials for DataDogs services, service metadata, and credentials for 3rd party integrations.

DataDog then quarantined the affected instances and sent out an email warning its users of the data breach, asking them to reset their passwords and for administrators to rotate or revoke any credentials stored in the DataDog system.

Timeline

Attribution / Perpetrator

The identity of the perpetrator of the breach has not been identified.

Summary of coverage

• DataDog: Security Notice - July 8th, 2016
• Naked Security: Blog Post - July 11th, 2016
• Threat Post: Blog Post - July 11th, 2016

Cloud Security lessons learned.

• Avoid the use of long-term AWS Access Keys
• Per DataDog: only “a subset of our AWS S3 buckets” were impacted, indicating that the compromise credentials may have been properly least-privledge.
• As would be expected of an observability company, the time from initial compromise to incident detection was aprox 19 hrs.