In November 2014, BrowserStack, a cloud-based browser and device testing platform, suffered a breach when an attacker discovered a forgotten, active AWS access key that had been created for a prototype project years earlier and never deactivated. The attacker used this key to access an Amazon S3 bucket containing customer records and sent a mass email to all BrowserStack customers claiming the company was selling data and was ‘done.’ BrowserStack disclosed the breach the same day, rotating all credentials and investigating. The incident exposed customer names and email addresses. BrowserStack’s transparent post-mortem blog post became a frequently-cited example of responsible breach disclosure and the security risks of forgotten credentials — credentials that persist long after the need for them has passed.