2026-04-03
[vendor] Trivy (open-source vulnerability scanner); GitHub Actions
[malware] TeamPCP Cloud Stealer
Vector: TeamPCP (UNC6780) leveraged credentials stolen via the March 2026 Trivy vulnerability scanner supply chain compromise to breach Cisco's internal development and build environment via a malicious GitHub Action plugin
In early April 2026, Cisco disclosed that attackers leveraged credentials stolen through the March 2026 Trivy supply chain compromise (attributed to TeamPCP / UNC6780) to penetrate …
2026-03-19
[vendor] Amazon Web Services; Trivy (open-source container scanner)
Vector: Attackers compromised the open-source security tool Trivy in a supply chain attack; a secret AWS API key associated with the European Commission's account was embedded in Trivy data and extracted by ShinyHunters, enabling access to the EC's AWS cloud environment
On March 19, 2026, ShinyHunters obtained an AWS API key belonging to the European Commission's cloud environment via a prior compromise of the open-source security tool Trivy. This …
2026-03-19
[vendor] Trivy (open-source vulnerability scanner by Aqua Security); GitHub Actions
[malware] TeamPCP Cloud Stealer
[cve] CVE-2026-33634
Vector: TeamPCP (UNC6780) exploited a misconfigured GitHub Actions workflow in Aqua Security's Trivy vulnerability scanner repository, compromising the aqua-bot service account to execute an imposter commit attack that force-pushed malicious code to 76 of 77 version tags across aquasecurity/trivy-action and aquasecurity/setup-trivy
On March 19, 2026, TeamPCP (tracked by Google GTIG as UNC6780) began the first stage of a cascading multi-tool supply chain campaign by exploiting a misconfigured GitHub Actions …
2026-03-12
[vendor] Okta (identity/SSO); Telus (BPO/outsourcing)
[malware] infostealer (unspecified)
Vector: Threat actor compromised an Okta SSO account belonging to a support agent at Telus (Crunchyroll's BPO partner); malware on the employee's device harvested credentials used to access Crunchyroll's support ticket system
On March 12, 2026, a threat actor gained access to Crunchyroll's customer support ticketing system after compromising an Okta account belonging to an employee of Telus Digital, …
2026-03-01
[vendor] nx (npm build tool); AWS; GitHub Actions OIDC
Vector: UNC6426 leveraged credentials (GitHub Personal Access Token) stolen during the 2025 nx npm package supply chain compromise to abuse GitHub-to-AWS OpenID Connect (OIDC) trust, escalating from a developer PAT to full AWS AdministratorAccess within 72 hours
In March 2026, UNC6426 demonstrated a sophisticated attack chain converting a stolen developer GitHub Personal Access Token (from the 2025 nx npm supply chain compromise) into full …
2026-03-01
[vendor] Anodot (AI analytics/SaaS integration platform); Snowflake (cloud data warehouse)
Vector: ShinyHunters maintained persistent access to Anodot's (an AI analytics SaaS integrator) infrastructure and stole authentication tokens used to connect Anodot to downstream customer Snowflake environments
In April 2026, ShinyHunters disclosed that they had breached Anodot (an Israeli AI analytics company acquired by Glassbox in November 2025), maintaining access 'for some time.' By …
2026-02-04
[vendor] Zendesk (customer support platform); Okta (identity/SSO)
Vector: ShinyHunters compromised an Okta SSO account to access Hims & Hers' Zendesk customer support instance
Between February 4–7, 2026, threat actors used a compromised Okta SSO account to access Hims & Hers' Zendesk support instance and exfiltrate customer support tickets. The breach …
2026-01-22
Vector: DOGE (Department of Government Efficiency) transferred sensitive Social Security Administration data to an external cloud server without standard federal data security controls
The Department of Government Efficiency (DOGE) — the advisory body established by the Trump administration —
was reported to have transferred sensitive Social Security …
2026-01-09
[vendor] Salesforce (third-party marketing/CRM platform)
Vector: ShinyHunters used vishing (voice phishing) to compromise IT support at a third-party vendor (believed to be Salesforce) used by Betterment for marketing and customer communications, gaining access to third-party software platforms
On January 9, 2026, Betterment (a major US robo-advisor and investment platform) suffered a data breach after ShinyHunters used vishing to compromise IT support at a third-party …
2026-01-01
[vendor] Google Cloud Platform (BigQuery); Salesforce; Drift
Vector: ShinyHunters discovered Google Cloud Platform credentials for Telus Digital embedded in a Drift data export; used those credentials to access BigQuery, then pivoted using additional secrets found with trufflehog to access further systems
Telus Digital (Canadian BPO providing outsourced customer support, content moderation, and AI services) confirmed a multi-month breach on March 12, 2026. ShinyHunters claimed …
2025-12-26
[vendor] Amazon Web Services S3; Zendesk; GitLab
Vector: Unauthorized actor transferred files from Eurail's AWS S3 buckets, Zendesk instance, and GitLab repositories on December 26, 2025; initial access vector not disclosed
On December 26, 2025, an unauthorized actor exfiltrated data from Eurail B.V.'s (European rail pass operator covering 33 national railways) AWS S3, Zendesk, and GitLab instances. …
2025-12-15
Vector: ShinyHunters used vishing (voice phishing) to trick SoundCloud employees into providing access credentials to an ancillary service dashboard rather than the company's core production systems
In December 2025, ShinyHunters breached SoundCloud via vishing — attackers convinced employees to provide access to an ancillary service dashboard. SoundCloud confirmed the breach …
2025-11-11
[vendor] MongoDB (cloud database)
Vector: Misconfiguration: IDMerit left a MongoDB database containing KYC identity verification records publicly accessible on the internet without authentication
Cybernews researchers discovered on November 11, 2025, that IDMerit (a US identity verification and KYC/AML services provider) had left a MongoDB database publicly exposed without …
2025-10-15
[vendor] Mixpanel (product analytics SaaS)
Vector: Threat actors compromised Mixpanel's product analytics platform infrastructure, gaining access to customer behavioral and analytics data that dozens of companies had shared with Mixpanel for product improvement and user analytics purposes
In late 2025, Mixpanel, a widely-used product analytics SaaS platform, suffered a breach that exposed user behavioral data from dozens of customer companies. Confirmed affected …
2025-10-01
[vendor] GitLab (self-hosted instance)
Vector: Crimson Collective gained unauthorized access to Red Hat's internal consulting GitLab instance used for customer engagement collaboration, exfiltrating approximately 570GB of compressed data from over 28,000 repositories
On October 1, 2025, the cybercrime group Crimson Collective disclosed a breach of Red Hat's consulting GitLab instance, claiming to have exfiltrated 570 GB of data from over 28,000 …
2025-09-01
[vendor] Drift (Salesloft)
Vector: Compromise of third-party service provider / vendor relationship
In 2025, Cloudflare experienced a data security incident via a third-party vendor relationship. The
compromised third-party vendor was Drift (Salesloft). Source reporting: …
2025-09-01
[vendor] Drift (Salesloft)
Vector: Compromise of third-party service provider / vendor relationship
In 2025, Elasticsearch B.V. experienced a data security incident via a third-party vendor relationship. The
compromised third-party vendor was Drift (Salesloft). Source reporting: …
2025-09-01
[vendor] Drift (Salesloft)
Vector: Compromise of third-party service provider / vendor relationship
In 2025, Fastly experienced a data security incident via a third-party vendor relationship. The compromised
third-party vendor was Drift (Salesloft). Source reporting: …
2025-09-01
[vendor] Drift (Salesloft)
Vector: Compromise of third-party service provider / vendor relationship
In 2025, Workday experienced a data security incident via a third-party vendor relationship. The compromised
third-party vendor was Drift (Salesloft). Source reporting: …
2025-08-08
[vendor] Salesloft Drift (AI chat/sales engagement platform); Salesforce; Google Workspace; Slack
Vector: UNC6395 compromised Salesloft's Drift AI chatbot integration and stole OAuth authentication tokens used to connect Drift with downstream customer Salesforce, Google Workspace, and Slack environments
Between August 8–18, 2025, threat actors tracked as UNC6395 exploited compromised OAuth tokens from the Salesloft Drift integration to gain unauthorized access to connected …
2025-08-01
[vendor] Salesforce
Vector: Compromise of third-party service provider / vendor relationship
Air France and KLM disclose data breaches impacting customers. Air France and KLM announced on Wednesday that attackers had breached a customer service platform and stolen the data …
2025-08-01
[vendor] Salesforce
Vector: Compromise of third-party service provider / vendor relationship
Fashion giant Chanel hit in wave of Salesforce data theft attacks. French fashion giant Chanel is the latest company to suffer a data breach in an ongoing wave of Salesforce data …
2025-08-01
[vendor] Salesforce
Vector: Compromise of third-party service provider / vendor relationship
Cisco discloses data breach impacting Cisco.com user accounts. Cisco has disclosed that cybercriminals stole the basic profile information of users registered on Cisco.com …
2025-08-01
[vendor] Salesforce
Vector: Compromise of third-party service provider / vendor relationship
Farmers Insurance data breach impacts 1.1M people after Salesforce attack. U.S. insurance giant Farmers Insurance has disclosed a data breach impacting 1.1 million customers, with …
2025-08-01
[vendor] Drift (Salesloft)
Vector: Compromise of third-party service provider / vendor relationship
Update: Salesloft’s Drift Integration Security Incident Impacting Some PagerDuty Salesforce Data. Per our August 29 post, we were notified in late August that PagerDuty (and our …
2025-08-01
[vendor] Salesforce
Vector: Compromise of third-party service provider / vendor relationship
Pandora confirms data breach amid ongoing Salesforce data theft attacks. Danish jewelry giant Pandora has disclosed a data breach after its customer information was stolen in the …
2025-08-01
[vendor] Salesforce
Vector: Compromise of third-party service provider / vendor relationship
TransUnion suffers data breach impacting over 4.4 million people. Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of …
2025-07-16
[vendor] Salesforce CRM
Vector: Vishing / social engineering: attackers impersonated IT helpdesk to trick an employee or vendor into granting access to a cloud-based Salesforce CRM system; Salesforce Data Loader used to bulk-exfiltrate data
On July 16, 2025, threat actors gained access to a third-party cloud CRM (Salesforce) used by Allianz Life Insurance of North America via social engineering/vishing. Attackers used …
2025-07-01
[vendor] Salesforce CRM; Salesforce Data Loader (malicious OAuth app abuse)
Vector: ShinyHunters (Scattered Lapsus$ Hunters) used vishing (voice phishing) to impersonate IT support staff, tricking employees into visiting Salesforce's connected app setup page and entering a 'connection code' that linked a malicious OAuth app (malicious Salesforce Data Loader) to the employee's Salesforce environment
In July 2025, Qantas Airways (Australia's flag carrier) suffered a Salesforce data breach attributed to ShinyHunters/Scattered Lapsus$ Hunters via a vishing campaign. Approximately …
2025-07-01
[vendor] Salesforce
Vector: ShinyHunters compromised Cisco's Salesforce CRM environment through social engineering / vishing of a Salesforce-privileged employee, part of the broader 2025 ShinyHunters Salesforce campaign
Cisco confirmed in August 2025 that it had been affected by the ShinyHunters Salesforce social engineering campaign. Exposed data included names, addresses, user IDs, email …
2025-07-01
[vendor] Salesforce
Vector: ShinyHunters compromised Pandora and Chanel's Salesforce CRM environments through social engineering / vishing, part of the broader 2025 ShinyHunters Salesforce campaign targeting major brand CRM instances
Pandora (Danish jewelry brand) and Chanel (French luxury fashion house) both disclosed in August 2025 that their Salesforce CRM environments had been compromised as part of the …
2025-07-01
[vendor] Salesforce
Vector: ShinyHunters compromised Stellantis's Salesforce environment through vishing/social engineering of a Salesforce-privileged user, part of the broader 2025 ShinyHunters Salesforce campaign
Stellantis, the multinational automotive manufacturer (maker of Jeep, Chrysler, Fiat, Peugeot, and other brands), disclosed in September 2025 that a breach via its Salesforce …
2025-05-29
[vendor] Salesforce (third-party vendor)
Vector: ShinyHunters and Scattered Spider breached a third-party vendor (believed to be Salesforce) used by Farmers Insurance, gaining unauthorized access to a database containing customer information
On May 29, 2025, hackers breached a third-party vendor system used by Farmers Insurance Exchange and its subsidiaries. Farmers was alerted to the suspicious activity on May 30, …
2025-05-01
[vendor] SimpleHelp RMM (Remote Monitoring and Management)
[malware] DragonForce ransomware
[cve] CVE-2024-57726 +2
Vector: CWE-22: Path Traversal (CVE-2024-57727) and CWE-269: Improper Privilege Management (CVE-2024-57726)
The DragonForce ransomware cartel exploited three vulnerabilities in SimpleHelp RMM software (disclosed January 2025) to breach a managed service provider (MSP) and then pivot to …
2025-03-15
[vendor] Ivanti Connect Secure VPN (versions 22.7R2.5 and earlier; ICS 9.x end-of-life)
[malware] TRAILBLAZE (in-memory dropper), BRUSHFIRE (passive backdoor), SPAWN ecosystem
[cve] CVE-2025-22457
Vector: CWE-121: Stack-based Buffer Overflow (CVE-2025-22457 — stack buffer overflow in Ivanti Connect Secure enabling remote code execution)
CVE-2025-22457 is a stack-based buffer overflow in Ivanti Connect Secure. Ivanti initially classified it as a low-risk DoS-only vulnerability and patched it 11 February 2025 in …
2025-03-01
[vendor] Oracle Health (formerly Cerner)
Vector: Compromise of third-party service provider / vendor relationship
Oracle Health breach compromises patient data at US hospitals. A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole …
2025-01-28
[vendor] Western Sydney University SSO / identity management systems
Vector: CWE-287: Improper Authentication (single sign-on (SSO) service compromised; insider/former student gained unauthorised access)
Unauthorised access to Western Sydney University's systems via the SSO service occurred between 28 January and 25 February 2025. Approximately 10,000 current and former students …
2025-01-22
[vendor] Oracle Health (formerly Cerner) EHR
[cve] CVE-2025-30154
Vector: Attacker used stolen credentials to access legacy Cerner EHR servers that had not yet been migrated to Oracle Cloud; CVE-2025-30154 exploited in related Oracle infrastructure
On or after January 22, 2025, a threat actor used stolen credentials to access legacy Cerner electronic health record (EHR) servers belonging to Oracle Health that had not yet been …
2025-01-01
[vendor] Oracle Cloud Infrastructure (OCI) / Oracle Identity Manager / Oracle Access Manager
[cve] CVE-2021-35587
Vector: A threat actor known as 'rose87168' claimed to have exploited a vulnerability in Oracle Cloud's login infrastructure (login.oracle.com / Oracle Identity Manager) to access Oracle's SSO and LDAP systems, exfiltrating approximately 6 million records including encrypted SSO passwords, LDAP password hashes, and JKS files
In March 2025, a threat actor known as 'rose87168' advertised on BreachForums the sale of approximately 6 million records allegedly stolen from Oracle Cloud's federated SSO login …
2025-01-01
[vendor] Otelier
Vector: Compromise of third-party service provider / vendor relationship
Otelier data breach exposes info, hotel reservations of millions. Hotel management platform Otelier suffered a data breach after threat actors breached its Amazon S3 cloud storage …
2025-01-01
Vector: Compromised credentials of a third-party service provider / contractor with access to Grubhub's internal systems
Grubhub detected unusual activity traced to a compromised third-party contractor account in early 2025. The contractor had access to internal systems used for customer care. Stolen …
2024-12-15
[vendor] Ivanti Connect Secure VPN / Ivanti Policy Secure / Ivanti ZTA Gateways
[malware] SPAWN ecosystem (SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, SPAWNSLOTH log tamper tool)
[cve] CVE-2025-0282 +1
Vector: CWE-121: Stack-based Buffer Overflow (CVE-2025-0282 — unauthenticated stack-based buffer overflow enabling RCE)
CVE-2025-0282 is an unauthenticated stack-based buffer overflow in Ivanti Connect Secure, Policy Secure, and ZTA Gateways enabling remote code execution. Mandiant identified …
2024-12-01
[vendor] Atlassian Jira (project management platform)
Vector: Compromised credentials and vulnerabilities in Orange Romania's Jira software and internal portals; attacker had access for over one month
In early 2025, the HellCat-affiliated threat actor 'Rey' exfiltrated 6.5 GB of data (12,000 files) from Orange Romania's back-office systems, resulting in exposure of over 600,000 …
2024-11-01
[vendor] Atlassian's JIRA server
Vector: Compromise of third-party service provider / vendor relationship
Schneider Electric confirms dev platform breach after hacker steals data. Schneider Electric has confirmed a developer platform was breached after a threat actor claimed to steal …
2024-09-19
[vendor] Elasticsearch (cloud database)
Vector: Misconfiguration: Serviceaide left an Elasticsearch database containing Catholic Health patient PHI publicly accessible on the internet without authentication for approximately six weeks
Between September 19 and November 5, 2024, Serviceaide (an agentic AI-powered IT and workflow management platform based in Santa Clara, CA) left an Elasticsearch database …
2024-07-01
[vendor] Snowflake
Vector: Compromise of third-party service provider / vendor relationship
Massive AT&T data breach exposes call logs of 109 million customers. AT&T is warning of a massive data breach where threat actors stole the call logs for approximately 109 million …
2024-07-01
[vendor] Otelier (formerly Hotel Effectiveness)
Vector: Threat actors compromised Otelier's hotel management SaaS platform by stealing credentials through an infostealer malware infection, then used those credentials to access Otelier's Atlassian systems and AWS S3 buckets containing hotel customer reservation data
Otelier, a cloud-based hotel management platform used by major hotel chains worldwide, was breached starting in approximately July 2024. Threat actors obtained employee credentials …
2024-06-25
[vendor] cdn.polyfill.io (JavaScript polyfill CDN service)
Vector: Chinese company Funnull CDN acquired the polyfill.io domain and associated GitHub repository from its original maintainer in early 2024; subsequently modified the polyfill.js script served by cdn.polyfill.io to inject malicious code that redirected mobile users to scam and malicious sites, with obfuscation to avoid detection
In June 2024, security researchers at Sansec discovered that cdn.polyfill.io — a widely used JavaScript polyfill service loaded by approximately 380,000 websites — had been …
2024-05-01
[vendor] Snowflake
Vector: Compromise of third-party service provider / vendor relationship
What Snowflake isn't saying about its customer data breaches | TechCrunch. As another Snowflake customer confirms a data breach, the cloud data company says its position "remains …
2024-05-01
[vendor] Snowflake
Vector: Compromise of third-party service provider / vendor relationship
Snowflake account hacks linked to Santander, Ticketmaster breaches. A threat actor claiming recent Santander and Ticketmaster breaches says they stole data after hacking into an …
2024-05-01
[vendor] Pure Storage Snowflake workspace (telemetry/support)
Vector: CWE-522: Insufficiently Protected Credentials (infostealer-harvested credentials, no MFA on Snowflake)
Pure Storage, a leading enterprise cloud storage provider, confirmed on June 11, 2024 that attackers breached its Snowflake workspace as part of the broader UNC5537/Sp1d3r campaign …
2024-05-01
[vendor] Bausch Health Snowflake data warehouse
Vector: CWE-522: Insufficiently Protected Credentials (infostealer-harvested credentials, no MFA on Snowflake)
Bausch Health, a Canadian pharmaceutical company, was targeted as part of the 2024 UNC5537/Sp1d3rHunters Snowflake credential-theft campaign. The threat actor 'Sp1d3rHunters' …
2024-04-24
[vendor] Dropbox Sign (formerly HelloSign) e-signature platform
Vector: Attacker gained access to a Dropbox Sign automated system configuration tool, using it to execute code in the context of the Sign application; this provided access to the customer database and to application-related secrets including API keys, OAuth tokens, and MFA keys/seeds
On 24 April 2024, Dropbox discovered that a threat actor had accessed Dropbox Sign's (formerly HelloSign's) production environment. Dropbox Sign is an e-signature service used by …
2024-04-17
[vendor] Snowflake cloud data platform / Santander third-party database
Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
UNC5537 accessed a third-party Snowflake-hosted database used by Santander. Breach began April 17, discovered May 10, disclosed May 14. ShinyHunters listed data on BreachForums …
2024-04-14
[vendor] Snowflake cloud data platform / Advance Auto Parts
Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
UNC5537 accessed Advance Auto Parts' Snowflake environment between April 14 and May 24, 2024. Breach disclosed July 10 via Maine AGO notification affecting 2.3 million current and …
2024-04-14
[vendor] Snowflake cloud data platform / AT&T
Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
UNC5537 downloaded AT&T call and text metadata for nearly all ~110 million AT&T wireless customers, covering May–Oct 2022 and a small subset from Jan 2023. Data included call/text …
2024-04-14
[vendor] Snowflake cloud data platform
[malware] VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, METASTEALER (infostealers used to harvest credentials)
Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials from infostealer malware reused against Snowflake tenant with no MFA)
UNC5537 (ShinyHunters / Scattered Spider affiliates) used infostealer-harvested credentials to authenticate to Ticketmaster's Snowflake tenant which had no MFA configured. …
2024-04-14
[vendor] Snowflake cloud data platform / LendingTree QuoteWizard subsidiary
Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
UNC5537 threat actor 'Sp1d3r' posted on BreachForums 1 June 2024 claiming 190 million individual records and 3 billion tracking pixel data records (2 TB compressed) stolen from …
2024-04-14
[vendor] Snowflake (cloud data warehouse)
[malware] VIDAR/RISEPRO/REDLINE infostealers (used to harvest Snowflake credentials)
Vector: UNC5537 used infostealer-harvested credentials to access Neiman Marcus's Snowflake cloud environment without MFA
Neiman Marcus (US luxury retailer) was breached as part of the UNC5537 mass-Snowflake campaign in May 2024. While the company notified Maine AG of 64,472 individuals, Troy Hunt …
2024-04-14
[vendor] Snowflake (cloud data platform)
[malware] Lumma/Vidar/RedLine infostealers (used to harvest credentials)
Vector: UNC5537 (Scattered Spider) used infostealer-harvested credentials to access AT&T's Snowflake cloud environment without MFA; attackers exfiltrated call and SMS metadata records between 14-25 April 2024
Nearly 110 million AT&T wireless customers had call and text metadata stolen — which numbers were contacted, call duration, and for some users cell tower location data. Data …
2024-04-01
[vendor] Snowflake cloud data platform
[malware] Redline Stealer / Lumma Stealer / Vidar / Raccoon Stealer / Risepro
Vector: CWE-522: Insufficiently Protected Credentials (infostealer-harvested credentials used against Snowflake instances lacking MFA)
UNC5537 / Scattered Spider / ShinyHunters used credentials stolen by infostealer malware (some dating back to Nov 2020) to access 160+ Snowflake customer environments lacking MFA. …
2024-04-01
[vendor] Cylance/BlackBerry data warehouse (Snowflake)
Vector: CWE-522: Insufficiently Protected Credentials (infostealer-harvested credentials, no MFA on Snowflake account)
Cylance (a cybersecurity company owned by BlackBerry) confirmed in June 2024 that a data breach occurred involving a third-party cloud platform. The threat actor 'Sp1d3r' claimed …
2024-04-01
[vendor] Snowflake (cloud data warehouse)
[malware] Lumma; Vidar; RedLine; RisePro; Raccoon (infostealers used to harvest credentials)
Vector: UNC5537 (Scattered Spider / ShinyHunters) used credentials harvested by infostealer malware (Lumma, Vidar, RedLine, RisePro, Raccoon) to log into Snowflake customer accounts that lacked MFA; no breach of Snowflake's own platform
UNC5537 compromised approximately 165 Snowflake customer tenants in a mass credential-stuffing campaign from April 2024. Known victims include AT&T (110M records), Ticketmaster …
2024-04-01
[vendor] Snowflake cloud data platform / Neiman Marcus
Vector: CWE-307: Improper Restriction of Excessive Authentication Attempts (stolen credentials reused against Snowflake tenant with no MFA)
UNC5537 accessed Neiman Marcus's Snowflake database between April and May 2024. Official notification to Maine AGO cited 64,472 individuals; however HIBP analysis identified 31 …
2024-04-01
[vendor] Snowflake (suspected third-party cloud platform)
Vector: Third-party cloud platform compromise; likely Snowflake credential theft via infostealer malware (not officially confirmed by TEG); ShinyHunters linked
Ticketek Australia (operated by TEG, Ticket Entertainment Group) disclosed a data breach in May/June 2024 involving a third-party cloud platform. A ShinyHunters-linked actor posted …
2024-04-01
[vendor] Snowflake (cloud data platform)
Vector: Stolen credentials (via infostealer malware) used to access LAUSD vendor Snowflake account with no MFA configured; part of the broader UNC5537 Snowflake credential campaign
Los Angeles Unified School District had student and teacher data stored in Snowflake accounts maintained by one or more third-party vendors. As part of the UNC5537 / ShinyHunters …
2024-04-01
[vendor] Slack
Vector: Malicious file (trojanised AI art program) distributed via GitHub; credential theft from victim's 1Password password manager
Ryan Mitchell Kramer (alias 'NullBulge'), a 25-year-old from Santa Clarita, California, distributed a malicious AI art generation tool on GitHub. When a Disney employee downloaded …
2024-02-19
[vendor] ConnectWise ScreenConnect (remote access / remote desktop tool for MSPs)
[malware] LockBit ransomware, Bl00dy ransomware, various RATs and backdoors deployed by multiple threat actors
[cve] CVE-2024-1709 +1
Vector: Authentication bypass vulnerability (CVE-2024-1709, CVSS 10.0) in ConnectWise ScreenConnect — a widely-used remote desktop and access tool used by managed service providers (MSPs) — allowed unauthenticated remote attackers to bypass authentication and create new administrator accounts, leading to complete system compromise; a second path traversal vulnerability (CVE-2024-1708) also existed; multiple ransomware groups and nation-state actors exploited the vulnerabilities within hours of disclosure
On 19 February 2024, ConnectWise disclosed two critical vulnerabilities in ScreenConnect — an on-premises remote access tool used by managed service providers (MSPs) and IT teams …
2024-01-01
[vendor] GitLab (self-hosted); Amazon S3
Vector: Attackers gained access to Sisense's self-hosted GitLab code repository, found credentials/tokens granting access to Sisense's Amazon S3 buckets in the cloud, and exfiltrated customer access tokens, API keys, passwords, and certificates
CISA issued an urgent advisory on 11 April 2024 warning Sisense customers to immediately rotate all credentials used with the platform. Sisense (a business intelligence/analytics …
2024-01-01
[vendor] Amazon Web Services (AWS) S3
Vector: Amazon Web Services (AWS) cloud storage misconfiguration: data left unencrypted and publicly accessible in S3 buckets managed by Volkswagen's software subsidiary CARIAD
Volkswagen Group's software subsidiary CARIAD left data on approximately 800,000 EV owners unencrypted and publicly accessible in AWS cloud storage for months. Affected brands: …
2023-12-01
[vendor] Ivanti Connect Secure / Policy Secure
[malware] ZIPLINE backdoor / LIGHTWIRE webshell / WARPWIRE credential harvester / THINSPOOL dropper
[cve] CVE-2023-46805 +2
Vector: CWE-305: Authentication Bypass by Primary Weakness chained with CWE-77: Command Injection
Chinese nexus APT UNC5221 exploited chained zero-days in Ivanti Connect Secure VPN gateways starting Dec 2023, publicly disclosed Jan 10 2024 by Volexity. CVE-2023-46805 (auth …
2023-11-14
[vendor] Cloudflare internal systems (Atlassian Confluence wiki, Jira bug tracker, Bitbucket source code)
Vector: CWE-287: Improper Authentication (stolen access tokens and service account credentials from Okta October 2023 breach reused; Cloudflare failed to rotate them)
Nation-state threat actor (attributed to Midnight Blizzard / Cozy Bear / APT29 in some reporting) used one access token and three service account credentials stolen during the Okta …
2023-11-03
[vendor] Amazon Web Services (AWS)
Vector: A threat actor used a compromised AWS access key credential belonging to Sumo Logic to gain unauthorized access to Sumo Logic's AWS infrastructure
On November 3, 2023, Sumo Logic, a cloud-native security analytics and log management platform, discovered that a compromised AWS access key had been used to gain unauthorized …
2023-11-01
[vendor] Okta
Vector: Compromise of third-party service provider / vendor relationship
Okta breach: 134 customers exposed in October support system hack. Okta says attackers who breached its customer support system last month gained access to files belonging to 134 …
2023-09-29
[vendor] Mercedes-Benz GitHub Enterprise organization / source code repositories
Vector: A Mercedes-Benz employee inadvertently included a GitHub API token in a public GitHub repository; the token provided unrestricted read access (with no expiration date) to the entire Mercedes-Benz Enterprise GitHub organization, allowing access to all private repositories
In January 2024 (revealed for an exposure dating to September 2023), RedHunt Labs security researchers discovered that a GitHub API authentication token belonging to a …
2023-09-28
[vendor] Okta Customer Support System (Salesforce Service Cloud)
Vector: Attacker used a stolen credential to access Okta's customer support case management system (Salesforce Service Cloud); the credential was compromised because an Okta employee had signed into their personal Google account on a work device, and the credential was stored in the personal Google account which was later breached
On 28 September 2023, an attacker used a stolen service account credential to gain access to Okta's customer support case management system. The attacker downloaded a report …
2023-09-28
[vendor] Okta Customer Support System
Vector: CWE-522: Insufficiently Protected Credentials (employee personal Google account compromise exposing corporate credentials)
Threat actor accessed Okta customer support case management system Sept 28 - Oct 17 2023 using credentials stolen from an employee's personal Google account. 134 Okta customers …
2023-09-08
[vendor] MGM Resorts enterprise systems / Okta / VMware ESXi
[malware] ALPHV/BlackCat
Vector: CWE-1391: Use of Weak Credentials (social engineering via LinkedIn identity theft + vishing helpdesk to bypass Okta MFA)
Scattered Spider (UNC3944) used LinkedIn to identify MGM employee, called IT helpdesk impersonating them to get Okta/Azure admin access. Waited 2 days then launched ransomware …
2023-09-05
[vendor] Stolen LastPass vaults possibly cracked
[loss] $35M
Vector: Smart contract exploit / hack
In November 2022, popular password management tool LastPass disclosed that hackers had stolen "password vaults" containing data belonging to more than 25 million users. Although …
2023-08-18
[vendor] Caesars Entertainment loyalty program database / Okta
[malware] Scattered Spider ransomware
Vector: CWE-1390: Weak Authentication (vishing / voice phishing social engineering of outsourced IT vendor to bypass Okta MFA)
Scattered Spider targeted Caesars' outsourced IT support vendor Aug 18 2023 via voice phishing, convincing vendor to hand over Okta credentials. Within days accessed 6TB loyalty …
2023-05-15
[vendor] Microsoft Exchange Online / Microsoft Azure AD (Entra ID)
Vector: CWE-287: Improper Authentication (forged authentication tokens using a stolen Microsoft MSA consumer signing key; used to access Exchange Online accounts across enterprise and personal tenants)
Storm-0558, a Chinese state-sponsored threat actor (attributed to MSS), acquired a Microsoft MSA consumer token signing key (method of acquisition still unclear as of CSRB review) …
2023-05-01
[vendor] Zendesk
Vector: Compromise of third-party service provider / vendor relationship
Discord Informs Users of Data Breach Involving Customer Support Provider. This website stores cookies on your computer. These cookies are used to improve your website experience …
2023-02-01
[vendor] Envoy
Vector: Compromise of third-party service provider / vendor relationship
Atlassian data leak caused by stolen employee credentials. Atlassian has confirmed that a breach at a third-party vendor caused a recent leak of company data and that their network …
2023-01-01
[vendor] CircleCI CI/CD platform (customer secrets/environment variables)
Vector: CircleCI's January 2023 breach (malware on engineer laptop stole session token) allowed attackers to access CircleCI customer secrets; Datadog's RPM package signing key was stored in CircleCI CI/CD environment variables and was exposed
In January 2023, Datadog disclosed that its RPM (Red Hat Package Manager) signing key used to sign Datadog age
nt packages had been exposed in the CircleCI breach. CircleCI's …
2023-01-01
[vendor] Mailchimp email marketing platform (internal admin tools)
Vector: Attackers used social engineering to target Mailchimp customer-facing operations staff, obtaining credentials to access internal tools used by Mailchimp's customer support and account administration teams; the attackers then used this access to view and export customer list data
In April 2022, Mailchimp discovered that a malicious actor had conducted a social engineering attack on Mailchimp employees and contractors, gaining access to Mailchimp's internal …
2023-01-01
[vendor] Mailchimp email marketing platform (internal admin tools)
Vector: Attackers used social engineering to target Mailchimp customer-facing operations staff, obtaining credentials to access internal tools used by Mailchimp's customer support and account administration teams; the attackers then used this access to view and export customer list data
In April 2022, Mailchimp discovered that a malicious actor had conducted a social engineering attack on Mailchimp employees and contractors, gaining access to Mailchimp's internal …
2022-12-16
[vendor] CircleCI CI/CD platform (customer environment variables and secrets)
Vector: Malware was deployed on a CircleCI engineer's laptop that had access to production systems; the malware stole a valid session cookie and bypassed 2FA, allowing the attacker to impersonate the engineer's session; the attacker then exfiltrated customer data and encryption keys from CircleCI's production infrastructure
In December 2022 (disclosed 4 January 2023), CircleCI — a widely-used CI/CD platform with over 500,000 developer users — discovered that an attacker had stolen customer environment …
2022-12-01
[vendor] Jenkins (CI/CD); Amazon S3
Vector: A publicly accessible Jenkins CI/CD server misconfiguration at CommuteAir exposed AWS credentials, which a security researcher used to access multiple S3 buckets — including one containing the TSA's No Fly List
In January 2023, a security researcher discovered that CommuteAir, a US regional airline, had a publicly exposed Jenkins build server with no authentication required. The Jenkins …
2022-11-30
[vendor] LastPass cloud storage / AWS S3 customer vault backups
[malware] Keylogger (via vulnerable Plex Media Server)
Vector: Attacker used information stolen in the August 2022 LastPass breach (source code and technical data) to target a senior LastPass DevOps engineer at home; exploited a vulnerable third-party media software package on the engineer's personal computer to install a keylogger; captured the employee's master password and MFA credentials to access their LastPass corporate vault; then accessed a LastPass AWS S3 cloud backup containing encrypted customer password vaults
In November-December 2022, attackers who had previously breached LastPass in August 2022 (stealing source code and technical documentation) used that information to identify and …
2022-11-11
[vendor] Amazon Web Services (AWS)
Vector: Attackers (believed to be either FTX insiders or nation-state actors) accessed AWS infrastructure secrets and private key material for multiple FTX-affiliated entities shortly after FTX filed for bankruptcy, draining approximately $400M from FTX and related exchange wallets
On November 11-12, 2022, within hours of FTX's bankruptcy filing, approximately $400 million was drained from FTX exchange and FTX US wallets in a series of unauthorized …
2022-08-08
[vendor] LastPass Password Manager
[cve] CVE-2020-5741
Vector: CWE-1232: Improper Lock of Memory That Contains Resource (developer laptop compromise via malware; second stage via vulnerable Plex Media Server CVE-2020-5741)
Two-stage breach in 2022. Aug 8-11: attacker compromised software developer's laptop, stole 14 source code repositories. Aug 12: senior DevOps engineer's personal computer …
2022-08-04
[vendor] Twilio
Vector: SMS phishing (smishing) of employee credentials leading to downstream supply chain compromise
On August 4, 2022, Twilio — a cloud communications platform used by thousands of businesses — confirmed
that attackers had breached its internal systems by sending SMS phishing …
2022-08-01
[vendor] Mailchimp email marketing platform (internal admin tools)
Vector: Attackers used social engineering to target Mailchimp customer-facing operations staff, obtaining credentials to access internal tools used by Mailchimp's customer support and account administration teams; the attackers then used this access to view and export customer list data
In April 2022, Mailchimp discovered that a malicious actor had conducted a social engineering attack on Mailchimp employees and contractors, gaining access to Mailchimp's internal …
2022-08-01
Vector: 0ktapus / Scattered Spider threat actors phished an employee of an unnamed third-party vendor with access to DoorDash systems via SMS phishing (smishing), then used the stolen credentials to access DoorDash's internal tools and customer data
On August 25, 2022, DoorDash disclosed a data breach caused by a phishing attack against an employee of an unnamed third-party vendor with access to DoorDash's internal systems. …
2022-08-01
[vendor] Twilio
Vector: Compromise of third-party service provider / vendor relationship
Twilio hack exposed Signal phone numbers of 1,900 users. Phone numbers of close to 1,900 Signal users were exposed in the data breach Twilio cloud communications company suffered …
2022-06-01
[vendor] Twilio Communications Platform
Vector: CWE-1021: Improper Restriction of Rendered UI Layers (SMS phishing / smishing with real-time OTP relay to fake login page)
Twilio employees received smishing SMS impersonating IT dept claiming password expiry. Employees entered credentials on fake Twilio login page with real-time MFA relay bypassing …
2022-04-07
[vendor] GitHub OAuth / Heroku integration / Travis CI integration
Vector: An attacker obtained stolen OAuth user tokens issued to Heroku and Travis CI (two third-party GitHub integrations); used the tokens to enumerate and download private GitHub repositories for organizations that had granted these integrations OAuth access; then used credentials found in those repositories to access downstream systems
In April 2022, GitHub detected that an attacker had used stolen OAuth user tokens issued to third-party integrations — specifically Heroku Dashboard (OAuth app ID 145909) and …
2022-03-01
[vendor] Sykes Enterprises
Vector: Compromise of third-party service provider / vendor relationship
Third-party company: Sykes Enterprises.
2022-01-16
[vendor] Okta Identity Platform
[malware] Mimikatz
Vector: CWE-1391: Use of Weak Credentials (third-party support contractor workstation compromise via RDP + credential harvesting)
Lapsus$ accessed Okta's network via compromised Sitel/Sykes contractor support workstation starting Jan 16 2022. Attacker used RDP lateral movement, accessed …
2022-01-01
[vendor] Pegasus Airlines AWS S3 bucket (Electronic Flight Bag / EFB data)
Vector: Misconfigured publicly accessible Amazon S3 bucket containing Pegasus Airlines' Electronic Flight Bag (EFB) software — airline operational data systems — was discovered by SafetyDetectives researchers; the bucket required no authentication to access
In early 2022, SafetyDetectives researchers discovered a publicly accessible Amazon S3 bucket belonging to Pegasus Airlines — a major Turkish airline with approximately 74 million …
2022-01-01
[vendor] Amazon S3; Amazon Web Services (IAM)
Vector: An AWS IAM access key was inadvertently exposed in a publicly accessible Football Australia S3 bucket, enabling unauthorized access to backend systems and customer data spanning football players and fans
Football Australia, the governing body for association football (soccer) in Australia, suffered a data breach when AWS IAM credentials were exposed in a misconfigured Amazon S3 …
2021-10-06
[vendor] Twitch (Amazon subsidiary) internal Git / source code infrastructure
Vector: Anonymous actor (posting as 'Anonymous' on 4chan) claimed a server misconfiguration allowed access to Twitch's internal Git repositories; the attacker obtained credentials or tokens that granted access to Twitch's internal infrastructure
On 6 October 2021, an anonymous actor posted a 125 GB torrent on 4chan containing Twitch's entire source code, internal security tools, mobile and desktop clients, proprietary …
2021-10-04
Vector: Server misconfiguration — Twitch stated the data was exposed due to an error in a Twitch server configuration change; the specific nature of the misconfiguration was not detailed, but the attacker accessed and exfiltrated data from Twitch's internal Git repositories and infrastructure
On October 6, 2021, an anonymous user posted a 125GB torrent to 4chan claiming it was a complete Twitch data dump intended to 'foster more disruption and competition in the online …
2021-08-09
[vendor] Microsoft Azure Cosmos DB (globally distributed cloud database)
Vector: Wiz.io researchers discovered a chain of vulnerabilities in Azure Cosmos DB's Jupyter Notebook integration that allowed complete access to any Azure Cosmos DB customer's database — without any action required from the victim; the vulnerability enabled attackers to read, write, and delete data in Cosmos DB accounts belonging to any Azure customer
On 9 August 2021, Wiz.io security researchers discovered a critical vulnerability chain in Microsoft Azure Cosmos DB — Microsoft's flagship globally distributed database service …
2021-08-01
[vendor] Microsoft
Vector: Compromise of third-party service provider / vendor relationship
Microsoft Data Breach Exposes 38M Records Containing PII | TechTarget. A Microsoft Power Apps data breach exposed 38M records containing PII and impacted 47 organizations, …
2021-07-02
[vendor] Kaseya VSA
[malware] REvil / Sodinokibi
[cve] CVE-2021-30116
Vector: CWE-89: SQL Injection in Kaseya VSA web interface (zero-day)
REvil ransomware gang exploited zero-day SQL injection and auth bypass (CVE-2021-30116) in Kaseya VSA endpoint management software on July 4th weekend 2021. Delivered malicious …
2021-07-01
[vendor] Kaseya VSA remote monitoring and management (RMM) platform
[malware] REvil (Sodinokibi) ransomware
Vector: REvil exploited multiple zero-day vulnerabilities in Kaseya VSA (CVE-2021-30116, CVE-2021-30119, CVE-2021-30120) to push malicious script execution to all managed endpoints without authentication; exploitation was conducted over the Independence Day holiday weekend
See comprehensive record: data/supply-chain/2021-07_kaseya-vsa-revil.yaml. Kaseya VSA is used by MSPs (Managed Service Providers) to remotely manage client endpoints — a single …
2021-06-21
[vendor] Amazon Web Services EC2 IMDSv1 (Instance Metadata Service v1)
Vector: UNC2903 exploited Server-Side Request Forgery (SSRF) vulnerabilities in web applications running on AWS EC2 instances to query the IMDSv1 (Instance Metadata Service v1) endpoint at 169.254.169.254, retrieving temporary IAM role credentials without authentication
UNC2903 is a financially-motivated threat actor tracked by Mandiant/Google Cloud that systematically exploited IMDSv1 vulnerabilities in AWS deployments. Beginning in mid-2021, …
2021-05-01
[vendor] Fasttrack Recruitment
Vector: Compromise of third-party service provider / vendor relationship
A UK recruitment firm exposed sensitive applicants data for months. FastTrack Reflex Recruitment firm recently joined the ranks of other companies that have been affected by data …
2021-05-01
[vendor] Microsoft Power Apps Portals (low-code platform)
Vector: Microsoft Power Apps portals defaulted to allowing public table access; organizations inadvertently exposed internal databases containing PII because Microsoft's default configuration required administrators to explicitly disable public access — a non-intuitive security posture that many missed
Security researchers at Upguard and Wiz.io discovered in mid-2021 that Microsoft Power Apps portals had a default configuration that left internal data tables publicly accessible …
2021-04-20
[vendor] Click Studios Passwordstate
[malware] Moserpass
Vector: CWE-506: Embedded Malicious Code — attackers hijacked Passwordstate's In-Place Upgrade CDN endpoint to serve trojanized update containing Moserpass infostealer
Click Studios, the Australian developer of the enterprise password manager Passwordstate, suffered a supply chain compromise between April 20–22, 2021 (a 28-hour window). Attackers …
2021-04-01
[vendor] CodeCov
Vector: Compromise of third-party service provider / vendor relationship
US investigators probing breach at code testing vendor. [](https://www.linkedin.com/company/itnews "follow us on Linkedin")[](https://twitter.com/itnews_au "follow us on …
2021-03-08
[vendor] Verkada (cloud-managed security cameras)
Vector: Attackers (led by Swiss hacker Tillie Kottmann / 'deletescape') found 'Super Admin' credentials for Verkada's cloud video platform in a publicly accessible Jenkins server; used them to gain root access to all 150,000 cameras across thousands of Verkada's enterprise customers
In March 2021, a collective including Swiss hacker Tillie Kottmann ('deletescape') gained access to Verkada's global security camera management platform by discovering Verkada …
2021-01-31
[vendor] Codecov Bash Uploader (codecov.io CI/CD coverage tool)
Vector: Attacker exploited a flaw in Codecov's Docker image creation process that allowed extraction of credentials from Codecov's Google Cloud Storage bucket; used these to modify the bash uploader script distributed to CI/CD pipelines; the tampered script exfiltrated CI environment variables (secrets, tokens, keys) to attacker-controlled server
Between 31 January and 1 April 2021, attackers modified Codecov's popular bash uploader script — used by thousands of CI/CD pipelines to upload code coverage reports — to …
2021-01-31
[vendor] Codecov Bash Uploader
Vector: CWE-506: Embedded Malicious Code — attackers exploited a Docker image build flaw in Codecov's CI pipeline to insert a credential-harvesting curl command into the Bash Uploader script
Codecov, a widely used code coverage reporting service, suffered a sophisticated supply chain compromise that began January 31, 2021, and was not discovered until April 1, 2021 — …
2021-01-11
[vendor] 20/20 Eye Care Network AWS S3 storage
Vector: Unknown attacker gained access to 20/20 Eye Care Network's AWS environment and accessed and deleted files stored in S3 buckets containing member information; 20/20 discovered the deletion and was unable to determine whether data was exfiltrated prior to deletion
On 11 January 2021, 20/20 Eye Care Network — a managed vision care benefits company providing administration services to health plans — discovered that an unauthorized actor had …
2021-01-01
[vendor] SocialArk
Vector: Compromise of third-party service provider / vendor relationship
Chinese start-up leaked 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users. High-flying and rapidly growing Chinese social media management company …
2021-01-01
[vendor] Socialarks Elasticsearch database
Vector: Socialarks — a Chinese social media management company — left an Elasticsearch database exposed publicly without authentication; the database contained scraped and aggregated social media profile data collected by Socialarks from LinkedIn, Facebook, Instagram, and other platforms
In January 2021, security researchers at vpnMentor discovered a publicly accessible Elasticsearch database belonging to Socialarks — a Chinese social media management company that …
2021-01-01
[vendor] Pulse Connect Secure VPN (Pulse Secure / Ivanti)
[cve] CVE-2021-22893 +2
Vector: Multiple Chinese APT groups (UNC2630 / APT5, and others) exploited CVE-2021-22893 and related zero-day vulnerabilities in Pulse Connect Secure VPN appliances to gain unauthorized access to targeted organizations' networks without authentication
In April 2021, Mandiant (FireEye) and CISA disclosed that at least two Chinese APT groups (tracked as UNC2630 and UNC2717, attributed to APT5 / MANGANESE) had been exploiting …
2020-12-10
[vendor] Amazon Web Services (AWS); GitHub
Vector: Senior cloud engineer at Ubiquiti used his legitimate privileged AWS and GitHub access to clone the company's source code repositories and steal customer data, then used a VPN to disguise his identity while extorting the company
In December 2020, Nickolas Sharp, a senior cloud engineer at Ubiquiti Networks (maker of UniFi networking equipment), used his legitimate access to Ubiquiti's AWS infrastructure …
2020-12-01
[vendor] SolarWinds Orion IT monitoring platform
[malware] SUNBURST, TEARDROP, RAINDROP
Vector: Russia SVR/Cozy Bear/APT29 compromised SolarWinds' Orion software build pipeline and injected the SUNBURST backdoor into legitimate Orion updates, signed with SolarWinds' code signing certificate and distributed to ~18,000 organizations
See comprehensive record: data/supply-chain/2020-12_solarwinds-sunburst.yaml. The SolarWinds Orion supply chain attack is the defining supply chain cyber incident of the decade — …
2020-10-01
[vendor] SolarWinds Orion (supply chain)
[malware] SUNBURST; TEARDROP
Vector: Russian SVR (Cozy Bear / UNC2452) compromised FireEye via the SUNBURST backdoor in a trojanized SolarWinds Orion update — the same supply chain attack as the broader SolarWinds campaign; FireEye was the first organization to detect and publicly disclose the SUNBURST backdoor
FireEye (now Mandiant) was one of the first and most notable victims of the SUNBURST supply chain attack via SolarWinds Orion. Unlike most SUNBURST victims, FireEye was …
2020-09-28
[vendor] Broadvoice
Vector: Misconfigured Elasticsearch cluster left publicly accessible without authentication
Broadvoice, a VoIP (Voice over IP) service provider serving small and medium-sized businesses across the United States, inadvertently exposed a massive Elasticsearch cluster …
2020-09-24
[vendor] Amazon Web Services (IAM); Cisco WebEx
Vector: Attackers compromised AWS IAM user credentials associated with Cisco WebEx's infrastructure, gaining access to Cisco's cloud environment and exfiltrating data before the intrusion was detected
Cisco disclosed in February 2021 that unauthorized actors had compromised AWS IAM credentials associated with the Cisco WebEx Teams video conferencing service. The attackers …
2020-09-01
[vendor] View Media
Vector: Compromise of third-party service provider / vendor relationship
Online marketing company exposes 38+ million US citizen records. The user record files contained full names, addresses, zip codes, emails, and phone numbers of people based in the …
2020-08-01
[vendor] Razer customer Elasticsearch cluster
Vector: Razer's customer data was inadvertently exposed through a misconfigured Elasticsearch cluster that was publicly accessible without authentication; the misconfiguration was set up by a vendor and the public exposure lasted approximately one month before being discovered
In August 2020, security researcher Volodymyr Diachenko discovered a publicly accessible Elasticsearch cluster belonging to Razer — the US gaming hardware company known for gaming …
2020-06-12
[vendor] GitHub; Amazon RDS; Amazon Web Services
Vector: Attacker found Drizly AWS credentials stored in an unsecured GitHub repository (accessible to all Drizly employees), used them to access an RDS database containing 2.5 million customer records
In June 2020, Drizly (an online alcohol delivery service) suffered a data breach when an attacker discovered AWS credentials stored in a plaintext format in an internal GitHub …
2020-06-01
[vendor] Open Source Matters
Vector: Compromise of third-party service provider / vendor relationship
Joomla team discloses data breach. Joomla says a team member left an unencrypted backup of the JRD portal on a private AWS S3 bucket. The team behind the Joomla open source content …
2020-04-01
[vendor] Zoom Video Communications user accounts
Vector: Credential stuffing using credentials from previously breached services — attackers compiled email/password combinations from unrelated data breaches and tested them against Zoom accounts, successfully accessing accounts where users had reused passwords
In April 2020, at the height of the COVID-19 pandemic when Zoom usage had surged from approximately 10 million to 300 million daily meeting participants in three months, …
2020-03-26
[vendor] SolarWinds Orion Platform
[malware] SUNBURST / TEARDROP / SUNSPOT
[cve] CVE-2020-10148
Vector: CWE-506: Embedded Malicious Code inserted into SolarWinds Orion build pipeline
Russian SVR (APT29/Cozy Bear) compromised SolarWinds build environment and injected SUNBURST backdoor into Orion software updates distributed March-June 2020. ~18,000 customers …
2020-03-16
[vendor] Elasticsearch
Vector: Misconfigured Elasticsearch production logging database left publicly accessible on the internet without authentication; no malicious actor required — the data was fully open to anyone who found the server
On March 16, 2020, researchers at Safety Detectives discovered a production Elasticsearch logging database belonging to CAM4 (an adult live-streaming platform operated by Granity …
2020-03-11
[vendor] Amazon Web Services (AWS)
Vector: A First Republic Bank employee with legitimate AWS access used their credentials to exfiltrate customer data from AWS-hosted banking systems
In March 2020, First Republic Bank (a US private bank and wealth management company) disclosed that an insider threat incident had occurred. A bank employee with legitimate access …
2020-03-01
[vendor] Zoom Video Communications
Vector: Credential stuffing — attackers used large lists of username/password combinations from prior unrelated data breaches to attempt automated logins to Zoom accounts; successful matches were then compiled and sold
In April 2020, cybersecurity firm Cyble reported discovering approximately 530,000 Zoom account credentials being sold on dark web forums for as little as a fraction of a cent …
2020-01-01
[vendor] Estée Lauder Companies Elasticsearch database
Vector: Security researcher Jeremiah Fowler discovered that Estée Lauder's internal Elasticsearch database was publicly accessible without any authentication or password protection; the database contained internal records and email addresses
In February 2020, security researcher Jeremiah Fowler discovered a publicly accessible Elasticsearch database belonging to Estée Lauder — one of the world's largest cosmetics and …
2020-01-01
[vendor] Not disclosed
Vector: Compromise of third-party service provider / vendor relationship
Data Leak Exposes 750K Birth Certificate Applications. AWS misconfiguration leaves storage bucket wide open. Over 750,000 applications for US birth certificates have been found …
2019-12-31
[vendor] Pulse Secure VPN
[malware] REvil (Sodinokibi) ransomware
[cve] CVE-2019-11510
Vector: REvil (Sodinokibi) exploited CVE-2019-11510, a critical path traversal vulnerability in Pulse Secure VPN that allowed unauthenticated remote file reading, including cached plaintext VPN credentials; patch had been available since April 2019
On New Year's Eve 2019, REvil ransomware operators exploited CVE-2019-11510 in Travelex's unpatched Pulse Secure VPN to gain initial access to Travelex's corporate network. …
2019-12-01
[vendor] iPR Software
Vector: Compromise of third-party service provider / vendor relationship
GE, Dunkin', Forever 21 Caught Up in Broad Internal Document Leak. A PR and marketing provider exposed sensitive data for a raft of big-name companies. A marketing firm exposed …
2019-08-01
[vendor] Suprema BioStar 2 biometric access control platform
Vector: Security researchers at vpnMentor discovered that Suprema's BioStar 2 web-based security platform had a publicly accessible, unprotected Elasticsearch database; the database was accessible without authentication and contained the biometric and security management data for the platform's clients
In August 2019, vpnMentor security researchers Noam Rotem and Ran Locar discovered a publicly accessible Elasticsearch database belonging to Suprema — a South Korean security …
2019-07-01
[vendor] MGM Resorts cloud server (guest data)
Vector: An unauthorized attacker gained access to a cloud server used by MGM Resorts and extracted guest data; MGM had stored the data in a cloud server that was accessible without proper authentication controls; the breach was not discovered until ZDNet reporter Catalin Cimpanu was alerted to the data being circulated on a hacking forum
In July 2019, an attacker accessed a cloud server at MGM Resorts International and extracted personal data for approximately 10.6 million hotel guests. The breach went undetected …
2019-04-25
[vendor] Docker Hub user database
Vector: Unauthorized access to a database storing a subset of non-financial Docker Hub user data; Docker stated the database was accessed without authorization but did not disclose the specific attack vector
On 25 April 2019, Docker discovered unauthorized access to a Docker Hub database containing data for approximately 190,000 accounts (less than 5% of Hub users). Docker Hub is the …
2019-03-22
[vendor] Amazon Web Services (WAF, EC2 IMDSv1, S3)
Vector: Paige Thompson (former AWS engineer) exploited a Server-Side Request Forgery (SSRF) vulnerability in a misconfigured AWS WAF to reach the EC2 Instance Metadata Service (IMDSv1) endpoint, stealing temporary IAM role credentials; used those credentials to access 700+ S3 buckets containing Capital One customer data
On March 22-23, 2019, Paige Thompson (alias 'erratic'), a former AWS software engineer, exploited a misconfigured AWS Web Application Firewall (WAF) running on Capital One's EC2 …
2019-02-01
[vendor] Verifications.io Elasticsearch database
Vector: Verifications.io, an email verification service, left an Elasticsearch database containing 763 million records exposed publicly on the internet without authentication; the database was discovered by security researchers Bob Diachenko and Vinny Troia
In March 2019, security researchers Bob Diachenko and Vinny Troia discovered a massive publicly accessible Elasticsearch database belonging to Verifications.io — an email …
2019-02-01
[vendor] CSC e-Governance Services Ltd (cscbhim.in)
Vector: Misconfigured AWS S3 bucket publicly exposing 409 GB of sensitive financial and identity data
In late May 2020, researchers at vpnMentor discovered that CSC e-Governance Services Ltd — the
government-mandated third party operating the merchant onboarding portal for India's …
2018-08-24
[vendor] MedCall Healthcare Advisors
Vector: Misconfigured AWS S3 bucket exposing 7GB of sensitive medical records and patient-doctor audio recordings
On August 24, 2018, cybersecurity researchers at UpGuard discovered a publicly accessible, misconfigured Amazon Web Services S3 storage bucket belonging to MedCall Healthcare …
2018-06-19
[vendor] Amazon Web Services S3
Vector: Misconfigured Amazon S3 bucket created by an AWS salesperson with public read permissions — the bucket named "abbottgodaddy" was created to store pricing proposal documents for a GoDaddy AWS engagement and was not locked down to account-owner-only access as required by best practice
On June 19, 2018, researchers from UpGuard's Cyber Risk Team discovered a publicly accessible Amazon S3 bucket named "abbottgodaddy" that contained sensitive configuration and …
2018-06-14
[vendor] Mailgun
Vector: SMS interception bypassing two-factor authentication on employee cloud and source code hosting accounts
Between June 14 and June 18, 2018, an attacker compromised several Reddit employee accounts at the company's cloud hosting and source code hosting providers by intercepting …
2018-06-01
[vendor] Elasticsearch
Vector: Exactis, a data broker, left a 2TB Elasticsearch database publicly accessible on the open internet with no authentication required; discovered by security researcher Vinnie Troia
Security researcher Vinnie Troia discovered in June 2018 that Exactis, a Florida-based data broker and marketing aggregation company, had left a 2-terabyte Elasticsearch database …
2018-05-30
[vendor] Agilisium
Vector: Unsecured Apache Airflow server deployed by contractor without authentication
On May 30, 2018, security researcher Bob Diachenko of Kromtech Security Center discovered an Apache Airflow server belonging to Agilisium, a cloud data contractor for Universal …
2018-05-23
[vendor] PageUp People HR recruitment SaaS platform
Vector: Unknown attacker compromised PageUp People's cloud-based HR and recruitment platform; PageUp described it as unusual activity in its IT infrastructure suggesting a malware infection; the platform stored candidate and employee data for over 100 Australian and global employers
In May 2018, PageUp People — a Melbourne-based HR and recruitment software company with clients across Australia, UK, US, Canada, and other countries — discovered unusual activity …
2018-05-23
[vendor] PageUp (Australian HR and recruitment SaaS platform)
Vector: Malware infection of PageUp's systems; PageUp detected unusual activity on May 23, 2018 and confirmed malware had compromised some of its infrastructure; the precise initial intrusion vector (e.g., spearphishing, unpatched vulnerability) was not publicly disclosed
On June 1, 2018, PageUp — an Australian HR software company whose recruitment platform is used by over 100 Australian and international enterprises — disclosed that it had detected …
2018-04-01
[vendor] Amazon S3; Amazon Web Services
Vector: A contract worker with knowledge of the credentials used Chegg's AWS root account credentials and shared access keys to access an S3 bucket containing user data, exfiltrating records for 40 million users
In April 2018, Chegg, an American education technology company, suffered a data breach when a contract worker used Chegg's AWS root account credentials — which had been shared …
2018-02-09
[vendor] Amazon S3
Vector: LA Times' Amazon S3 bucket hosting the Homicide Report web application was publicly writable due to misconfigured S3 ACLs; attackers injected Coinhive cryptocurrency mining JavaScript into the page
In February 2018, the LA Times' Homicide Report website was discovered to be running Coinhive cryptocurrency mining code injected by attackers who had exploited a publicly writable …
2017-10-01
[vendor] Amazon RDS (Relational Database Service)
Vector: Imperva's internal database migration process created an Amazon RDS snapshot and made it publicly accessible; the snapshot contained customer authentication tokens, password hashes, and API keys. An attacker later found and accessed this snapshot
Imperva, a cybersecurity company providing cloud-based web application firewall (WAF) and DDoS protection services, disclosed in August 2019 that a data breach had exposed customer …
2017-06-08
[vendor] NICE Systems
Vector: Misconfigured Amazon S3 bucket left publicly accessible without authentication
On June 8, 2017, UpGuard cyber risk analyst Chris Vickery discovered a publicly accessible Amazon S3 storage bucket owned and operated by NICE Systems, an Israeli telephonic …
2017-06-01
[vendor] Deep Root Analytics AWS S3 bucket
Vector: Deep Root Analytics, a data analytics firm contracted by the Republican National Committee, misconfigured an Amazon S3 bucket that was set to public access; the bucket contained detailed voter data compiled from multiple sources including publicly available voter registration records, proprietary commercial data, and political modeling scores
In June 2017, UpGuard cybersecurity researcher Chris Vickery discovered an Amazon S3 bucket belonging to Deep Root Analytics — a data analytics firm that had been contracted by the …
2017-06-01
[vendor] Deep Root Analytics
Vector: Unsecured Amazon S3 bucket with no access controls or authentication
On June 12, 2017, UpGuard cyber risk analyst Chris Vickery discovered a publicly accessible Amazon S3 cloud storage bucket containing approximately 1.1 terabytes of data on 198 …
2017-06-01
[vendor] NICE Systems AWS S3 bucket (Verizon customer data)
Vector: NICE Systems — an Israel-based enterprise software company contracted by Verizon for call center quality improvement — misconfigured an Amazon S3 bucket to be publicly accessible; the bucket contained customer account data from Verizon's customer call center operations
In July 2017, UpGuard security researchers discovered that NICE Systems — an enterprise software company contracted by Verizon to manage call center quality assurance — had left an …
2017-05-31
[vendor] OneLogin single sign-on / identity management platform
Vector: Attacker obtained access keys to the AWS platform used by OneLogin's US data region via an unknown mechanism, then used those keys to create AWS API calls to enumerate OneLogin's infrastructure and access customer data; the attacker used AWS API access to decrypt data stored in OneLogin's environment
On 31 May 2017, OneLogin — an enterprise single sign-on and identity management provider serving approximately 2,000 enterprise customers — suffered a breach in which an attacker …
2016-11-01
[vendor] Zendesk Support and Chat
Vector: Unauthorized access to Zendesk Support and Chat customer account databases; breach originated in 2016 and disclosed to affected customers in October 2019
In October 2019, Zendesk — a major customer service software platform used by over 145,000 organizations — disclosed a security breach that affected customer accounts created …
2016-10-13
[vendor] GitHub
Vector: Credential stuffing attack on Uber engineers' GitHub accounts using passwords from prior breaches; AWS access keys found in private repositories
In October 2016, two hackers used credential stuffing to access Uber engineers' private GitHub repositories, leveraging passwords exposed in previous data breaches. Uber did not …
2016-10-01
[vendor] Uber / AWS S3
Vector: CWE-312: Cleartext Storage of Sensitive Information (AWS credentials exposed in GitHub repository, used to access S3 bucket with customer data)
Attackers found Uber AWS credentials in GitHub and downloaded data affecting 57M users and drivers (names, emails, phone numbers; 600K US driver license numbers). Uber CSO Joe …
2016-10-01
[vendor] Uber private GitHub repository / AWS S3
Vector: Attackers found Uber's private GitHub repository containing hardcoded AWS credentials; used those credentials to access an AWS S3 bucket containing a backup archive with rider and driver personal data; attackers contacted Uber and demanded $100,000 in exchange for deleting the data
In October-November 2016, two attackers discovered that Uber's private GitHub code repository contained hardcoded AWS credentials. Using those credentials, they accessed an AWS S3 …
2016-09-22
[vendor] Cloudflare reverse proxy / CDN / security service
Vector: A bug in Cloudflare's HTML parser (introduced 22 September 2016) caused the parser to read past the end of a buffer when processing certain HTML constructs (including server-side includes, email obfuscation, and automatic HTTPS rewrites); the overrun memory contained data from other Cloudflare customers' HTTP requests including authentication tokens, session cookies, passwords, and private messages — this data was served in HTTP responses to users and cached by Google, Bing, and other search engines
On 22 September 2016, Cloudflare deployed a change to its HTML parsing pipeline that introduced a buffer overread bug (named 'Cloudbleed' by researcher Tavis Ormandy, in reference …
2016-07-07
[vendor] Amazon Web Services (AWS)
Vector: An attacker gained access to DataDog's internal systems and obtained AWS access keys, which could have been used to access customer AWS environments where the DataDog agent was installed
On July 7-8, 2016, DataDog, a cloud monitoring and analytics platform, detected unauthorized access to its internal systems and discovered that AWS access keys had been exposed. …
2016-01-01
[vendor] Amazon S3
Vector: Vitagene left Amazon S3 buckets containing customer raw DNA data and health profile files publicly accessible without authentication, with no CloudTrail logging enabled to detect unauthorized access
Vitagene, a consumer DNA and ancestry testing company, left Amazon S3 buckets containing raw genetic data files, health reports, and personal information for customers publicly …
2015-06-12
[vendor] LastPass password manager user database
Vector: Unknown attacker compromised LastPass's network and gained access to the LastPass database; specific intrusion vector was not disclosed; the attacker accessed user account email addresses, password reminders, server per-user salts, and authentication hashes
On 12 June 2015, LastPass — one of the world's most widely used password managers with tens of millions of users — discovered that its network had been compromised and that user …
2014-11-09
[vendor] Amazon S3; Amazon Web Services
Vector: An old, forgotten AWS access key from a former employee's prototype environment was discovered by an attacker and used to access BrowserStack's production customer database in Amazon S3
In November 2014, BrowserStack, a cloud-based browser and device testing platform, suffered a breach when an attacker discovered a forgotten, active AWS access key that had been …
2014-06-17
[vendor] Amazon Web Services (EC2, S3, EBS)
Vector: Attacker gained access to Code Spaces' AWS management console (EC2 control panel) using stolen credentials, then launched a DDoS attack and demanded payment; when Code Spaces attempted to regain control, the attacker systematically deleted all EC2 instances, S3 buckets, EBS snapshots, and machine images
Code Spaces was a code hosting and project management platform (similar to GitHub) that operated entirely on AWS. On June 17, 2014, an attacker gained access to Code Spaces' AWS …
2014-05-12
[vendor] Uber private GitHub / AWS S3 driver database
Vector: An Uber software engineer stored AWS credentials in a private GitHub repository; the repository was accessed by a third party who used the credentials to access an Amazon S3 bucket containing the driver database backup; the third party used the AWS access to download approximately 50,000 driver names and licence numbers
In May 2014, a third party accessed an Uber software engineer's private GitHub repository that contained AWS credentials stored in code. Using these credentials, the attacker …
2013-11-06
[vendor] Toyota Connected cloud platform / Toyota T-Connect telematics service
Vector: Misconfigured Toyota Connected cloud environment exposed vehicle location data to the public internet; the data was stored in a cloud environment (managed by Toyota's subsidiary Toyota Connected) with misconfigured access controls that made it publicly accessible without authentication for approximately 10 years
Toyota disclosed in May 2023 that vehicle data for 2.15 million Toyota and Lexus customers in Japan had been publicly accessible via a misconfigured cloud environment for …
2013-11-06
[vendor] Toyota Connected cloud environment (T-Connect, G-Link, G-Link Lite, G-BOOK)
Vector: Cloud misconfiguration — Toyota's connected vehicle cloud environment was configured to be publicly accessible without authentication; the misconfiguration resulted from 'insufficient explanation and thoroughness of data handling rules' causing data not to be stored with appropriate access controls
Toyota Motor Corporation disclosed on May 12, 2023 that vehicle location data and other connected vehicle information for approximately 2.15 million customers in Japan had been …
2013-01-01
[vendor] Prestige Software
Vector: Misconfigured AWS S3 bucket left publicly accessible without authentication; contained hotel reservation records dating back to 2013
Prestige Software, a Spain-based hotel channel management platform used by major
online travel agencies including Hotels.com, Booking.com, and Expedia, left a
misconfigured Amazon …
2012-07-01
Vector: A Dropbox employee reused their LinkedIn password for their Dropbox work account; when the 2012 LinkedIn breach exposed that password, attackers used it to log into the employee's Dropbox work account, which contained a document with hashed Dropbox user passwords
The Dropbox breach of approximately July 2012 originated from employee password reuse. A Dropbox employee had reused their LinkedIn account password for their corporate Dropbox …
