Security is an exercise in managing risk. Reviewing the common root causes of security incidents is an effective way to guide prioritized remediation efforts.
This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause. It will exclude incidents involving exposed data stores (e.g S3 bucket leaks, exposed managed or hosted databases). Those incidents are already well understood, and examples can be found cataloged in places like https://github.com/nagwww/s3-leaks, https://www.upguard.com/breaches, https://www.hackmageddon.com/2022/02/21/leaky-buckets-in-2022/ and Corey Quinn's LWIAWS S3 Bucket Negligence Award.
It also exludes incidents impacting individuals, such as the periodic cryptomining due to compromised credentials. 1 2 3
The intial data was collected for a talk at BSidesCT 2020: Learning from AWS (Customer) Security Incidents You can find the slides here
This repository is in no way intended as a criticism of the listed companies. In the spirit of blameless postmortems 1, our goal is to learn from incidents without an atmosphere of blame.
A repository of breaches of AWS customers
| Name | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | Hacker puts code spaces out of business |
| DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION |
| DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | 2016-07-08 Security Notice |
| Uber | 2016, October | Private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users | Uber concealed cyberattack ... |
| OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | May 31, 2017 Security Incident |
| Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | Hackers have turned Politifact’s website into a trap for your PC |
| DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | DXC spills AWS private keys on public GitHub |
| LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | Coinhive cryptojacking added to homicide.latimes.com |
| Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | Imperva Security Update |
| Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | Sacked IT guy annihilates 23 of his ex-employer’s AWS servers |
| Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | A Technical Analysis of the Capital One Cloud Misconfiguration Breach |
| JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters |
| Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | Malindo Air: Data Breach Was Inside Job |
| Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | Hacker puts code spaces out of business |
| Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | Celeb Shout-Out App Cameo Exposes Private Videos and User Data |
| Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | Exchange rate service’s customer details hacked via AWS |
| Expel case study 1 | 2020, April | 8 IAM access keys compromised | Backdoored security groups | Command line access to EC2 instances | Finding evil in AWS: A key pair to remember |
| TeamTNT Worm | 2020, April | Misconfigured Docker & k8s platforms | Steals AWS credentials from ~/.aws/* | Cryptojacking for Monero | Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials, TeamTNT with new campaign aka “Chimaera” |
| Twilio | 2020, July | S3 global write access | N/A | Magecart2 | Incident Report: TaskRouter JS SDK Security Incident |
| Expel case study 2 | 2020, July | Root IAM user access keycompromised | SSH keys generated for EC2 instances | Cryptojacking | Behind the scenes in the Expel SOC: Alert-to-fix in AWS |
| Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | GotRoot! AWS root Account Takeover |
| Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | Cryptominer Found Embedded in AWS Community AMI |
| Mandiant: Insider Threat Scenario | 2020, September | Fired employee uses credentials | Access CI/CD server, create a new user, steal credentials | Deleted production databases | Cloud Breaches: Case Studies, Best Practices, and Pitfalls |
| Animal Jam | 2020, November | Slack comprise exposes AWS credentials | N/A | User database | Kids' gaming website Animal Jam breached |
| Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | Former Cisco engineer sentenced to prison |
| Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | Data from August Breach of Amazon Partner Juspay Dumped Online |
| 20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets |
| LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | Risk startup LogicGate confirms data breach |
| Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | Ubiquiti All But Confirms Breach Response Iniquity |
| Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | Clear and Uncommon Story About Overcoming Issues With AWS |
| Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | Kaspersky's stolen Amazon SES token used in Office 365 phishing |
| Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | The attack on ONUS – A real-life case of the Log4Shell vulnerability |
| Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | Booking management platform FlexBooker leaks 3.7 million user records |
| Expel case study 3 | 2022, April | Credentials in publicly available code repository | AttachUserPolicy used for privesc | Cryptomining (prevented) | Incident report: From CLI to console, chasing an attacker in AWS |
Postmortem Culture: Learning from Failure
Note: There have been numerous identified incidents of Magecart exploiting S3 Global Write - in one review targeting "well over 17,000 domains"