In December of 2020, Ubiquiti suffered a breach at the hands of an employee. This employee masked his presence via a VPN and was able to clone the company’s GitHub repository and alter logs in AWS to hide their presence and evidence of the breach. After the attacker leaked false details of the attack to a well-known security blogger, Ubiquiti’s stock lost 4 billion dollars in value.
In November 2014 BrowserStack, a cloud testing platform for cross-platform testing of different applications, was breached through an old prototype machine that had not been updated and was vulnerable to the shellshock exploit. The attacker created an IAM user and generated a keypair. The attacker accessed the email list and used AWS Simple Email Service to send emails to 5,000 users falsely stating BrowserStack was shutting down.
In July 2016, SaaS provider DataDog suffered a breach affecting its AWS customers. The breach stemmed from an attacker targeting production infrastructure servers and a database that stores user credentials. AWS users who attempted to use AWS credentials shared with Datadog also reported issues. DataDog immediately mitigated and notified users of the breach and ensured any precautions needed to be taken.
Mandiant identified a new threat actor, UNC2903, attempting to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Mandiant observed that UNC2903 scanned the internet for a particular vulnerability and utilized a relay box to carry out exploitation and related IMDSv1 abuse.
Welcome to Breaches.Cloud - the soon-to-be definitive source for analysis on cloud security-related breaches.
As a cloud security practitioner, I often find myself trying to explain cloud security risks to my developer, operator, and builder constituency. Within the Cloud Security community, we know the potential risks of long-term access keys, publicly writable buckets, and insecure services exposed to the world.
In January of 2023, CommuteAir suffered a breach that exposed the US Department of Homeland Security’s “No Fly” and Selective Screening lists containing over 1.5 million records, along with CommuteAir employee information. The attacker found an exposed Jenkins server and was able to access different build workspaces containing repositories for the build jobs. On the Jenkins server, the attacker found access keys that offered access to the CommuteAir environment. After investigating the AWS Infrastructure, the attacker found the No Fly List among test data on the Jenkins server.
In June of 2014, The code hosting and project management provider known as CodeSpaces.com was forced to shut down after a series of events in which an Unknown threat actor performed a well-organized Denial of Service attack and attempted to demand payment. The threat actor accessed Codespaces Amazon Account when negotiations fell through, deleting data and backups.
In September 2018 a former engineer leveraged AWS credentials, left over from his time of employment, which resulted in the deletion of 456 virtual machines for Cisco’s WebEx Teams application. Cisco cited the outage as costing over $2.4M dollars.
In 2014 and again in 2016, Uber suffered a data breach where attackers gained access an unencrypted file containing sensitive user information. In both instances, the attackers used keys found in Uber’s GitHub repositories. In 2014, the attacker found an access key in a public repository. In 2016, the attackers used stolen GitHub credentials to access an AWS key in an engineer’s private repo.
Uber reported the 2014 incident to the Federal Trade Commission, which prompted an investigation into its security practices of Uber. As part of the 2016 incident, Uber’s Chief Information Security Officer paid the attackers $100,000, supposedly as a bug bounty, to delete and not disclose the data. This incident is notable because the CISO, Joey Sullivan, was later convicted for not promptly notifying the Federal Authorities when the breach occurred. Uber was fined $148 million for concealing the breach.
In April 2018, the educational platform Chegg Inc. suffered a breach leading to the exposure of sensitive data on over 40 million users. A former contractor used AWS root credentials to exfiltrate the data.