OpSec vulnerabilities

Beginning around October 9, 2024, the Internet Archive suffered overlapping attacks rooted in unrotated, exposed authentication tokens. A plaintext GitLab token left in a publicly accessible config file on a dev server (exposed since at least December 2022 and never rotated) let an attacker download source code containing further embedded database credentials, enabling exfiltration of a user database of around 31 million users with emails and bcrypt-hashed passwords. A JavaScript defacement and DDoS attacks accompanied it. On October 20, 2024, an unrotated Zendesk API token, also exposed via the same token mismanagement, was used to access more than 800,000 support tickets, some containing personal ID documents.

Between roughly April and June 2024, the threat group UNC5537 conducted mass data theft from about 165 Snowflake customer tenants. The attackers did not exploit any flaw in Snowflake itself; they logged in with valid usernames and passwords harvested by infostealer malware from employee and contractor machines and sold on criminal markets, some credentials years old. The targeted accounts had no MFA enabled and no network allow-listing, so stolen single-factor credentials granted direct access. Victims included Ticketmaster/Live Nation (about 560 million customers), Santander (about 30 million customers), and AT&T (call and text metadata for roughly 110 million customers, with AT&T reportedly paying about $370,000).

Publicly disclosed January 30, 2024, a Mercedes-Benz employee accidentally committed a GitHub authentication token to a public repository, leaving it exposed from September 29, 2023. RedHunt Labs found the token during an internet-wide scan; it granted unrestricted, unmonitored access to Mercedes-Benz's internal GitHub Enterprise Server, allowing anyone to download private source-code repositories that could contain API keys, cloud access keys, database connection strings, blueprints, and SSO passwords. After notification, the token was revoked on January 24, 2024. Mercedes-Benz stated customer data was not affected but could not confirm whether anyone besides the researchers accessed the repositories during the exposure window.

Disclosed January 19, 2024, the Russian SVR-linked actor Midnight Blizzard breached Microsoft's corporate tenant by password-spraying a legacy, non-production test account that had a weak password and no MFA, using residential proxies to evade detection. The actor then abused a malicious OAuth application, leveraging the test account's permissions to grant itself Exchange Online full_access_as_app rights and read corporate mailboxes. A small percentage of corporate email accounts were accessed, including senior leadership and staff in cybersecurity and legal functions, with some emails and attachments exfiltrated. A later update noted attempts to use exfiltrated secrets and source-code repository access.

Between September 28 and October 17, 2023, an attacker used stolen credentials to access Okta's customer support case-management system. The credentials belonged to a service account that an employee had saved into their personal Google account after signing into a personal Chrome profile on an Okta-managed laptop. The attacker downloaded customer-uploaded HTTP Archive (HAR) files, some of which contained valid session tokens usable for session hijacking. The breach affected 134 customers, with confirmed session hijacking at five, including BeyondTrust, Cloudflare, and 1Password. Okta disabled the service account and blocked personal Google sign-ins on managed devices.

Disclosed October 6, 2023, 23andMe was hit by a credential-stuffing campaign running from about April 2023, in which the attacker reused username/password pairs leaked from unrelated prior breaches. Because many users reused passwords, roughly 14,000 accounts were directly compromised; 23andMe's own systems were not breached, but it failed to detect or throttle the automated logins and did not enforce MFA. From those accounts, the attacker abused the opt-in DNA Relatives and Family Tree features to scrape data on approximately 6.9 million additional individuals, including names and ancestry estimates, with curated ethnicity lists advertised for sale. Downstream fallout included an approximately $30 million class-action settlement, regulatory fines, and the company's eventual bankruptcy.

Microsoft's AI research team shared open-source training data via an Azure Storage Shared Access Signature (SAS) token committed to a public GitHub repo around July 2020. The token was misconfigured to scope access to the entire storage account with full-control permissions instead of the intended read-only bucket, so anyone with the link could view, delete, and overwrite files. Wiz researchers discovered it in June 2023, finding 38 terabytes of exposed internal data including two employees' workstation disk backups with secrets, private keys, passwords, and over 30,000 internal Teams messages. Writable pickle-format models created a model-poisoning supply-chain risk; Microsoft revoked the token and reported no customer data was exposed.

In September 2023, the Scattered Spider group (an ALPHV/BlackCat ransomware affiliate) used vishing and help-desk social engineering to breach MGM Resorts and Caesars Entertainment. Attackers impersonated employees to IT help desks to obtain credentials and MFA resets, then moved laterally and deployed ransomware. Caesars had its loyalty-program database stolen, including driver's license and Social Security numbers, and reportedly paid roughly $15 million of a $30 million demand. MGM refused to pay, suffered an approximately $100 million hit to quarterly EBITDAR, had over 100 ESXi hypervisors encrypted, and exposed personal data of customers who transacted before March 2019.

On July 14, 2023, a Sourcegraph engineer accidentally committed an active site-admin access token in a pull request, and automated secret-scanning controls failed to catch it. On August 30, 2023, an attacker used the leaked token to elevate a newly created account to site-admin and access the administrative dashboard. The attacker raised API rate limits and created a public proxy app granting arbitrary users free access to Sourcegraph's APIs and underlying LLM, with instructions spreading widely online. License-key recipient names and emails, a subset of customer license keys, and community account email addresses were exposed; Sourcegraph stated no private code or passwords were compromised.

In December 2022, information-stealer malware on a CircleCI engineer's laptop went undetected by antivirus and stole a valid, 2FA-backed SSO session cookie, letting the attacker impersonate the engineer and bypass the second factor entirely because the session was already authenticated. The attacker exfiltrated data from a subset of production stores, including customer environment variables, tokens, and keys. CircleCI rotated all customer Project and Personal API tokens plus GitHub and Bitbucket OAuth tokens and urged customers to rotate any secrets used between December 21, 2022 and January 4, 2023. Fewer than five customers reported downstream unauthorized access.

LastPass suffered two linked breaches in 2022. In August, an attacker compromised a developer account and stole source code and technical documentation. Using that information, the attacker targeted a senior DevOps engineer, one of only four people with access to production backup decryption keys, by exploiting an unpatched vulnerability in Plex media software on the engineer's home computer to install a keylogger and capture the master password after MFA. Between August 12 and October 26, 2022, the attacker exfiltrated cloud backups including encrypted customer vaults (with unencrypted URLs), AWS S3 production backups, DevOps secrets, and MFA seed databases, putting customers with weak master passwords at offline brute-force risk.

In September 2022, an external contractor's Uber corporate credentials were compromised, likely purchased on the dark web after malware infected the contractor's personal device. The attacker launched an MFA fatigue push-bombing attack, flooding the contractor with 2FA approval requests, then posed as Uber IT over WhatsApp to convince them to approve one. Once inside, lateral movement reached hardcoded admin credentials in a PowerShell script on a network share, granting elevated access to G-Suite, Slack, vSphere, internal dashboards, and the HackerOne environment. Uber attributed the intrusion to an actor affiliated with Lapsus$ and stated no sensitive user data was exfiltrated.

On August 7, 2022, Twilio disclosed that attackers breached internal systems via an SMS phishing (smishing) campaign against employees. Staff received texts impersonating Twilio IT, claiming password expiry or schedule changes and using terms like Okta and SSO, directing them to fake login pages that harvested credentials. Several employees entered credentials, giving access to internal tools and data for 125 customers. Downstream, roughly 1,900 Signal users had phone numbers or SMS verification codes exposed and at least one account was re-registered to an attacker device, though message content and contacts remained protected. The broader 0ktapus campaign hit around 130 organizations.

In April 2022, an attacker abused OAuth user tokens issued to two third-party integrators, Heroku and Travis CI, to authenticate to the GitHub API and download private repositories from dozens of organizations, including npm and GitHub itself. An AWS API key obtained from data downloaded with a stolen OAuth token was then used to access npm production infrastructure. GitHub stated the tokens were not compromised on its own systems, pointing the root cause to the third-party integrators, which revoked all affected OAuth tokens. Affected organizations and private-repo owners were notified.

On July 15, 2020, attackers ran a coordinated phone spear-phishing (vishing) campaign against a small number of Twitter employees, gathering employee details and tricking staff into surrendering credentials that gave access to Twitter's internal account-management admin tools. Using the admin tool, they took over high-profile accounts (changing associated emails and bypassing 2FA), targeting 130 accounts, tweeting from 45, accessing DM inboxes for 36, and downloading full account data for 7. Compromised accounts included Obama, Biden, Musk, Gates, Bezos, and Apple. A Bitcoin doubling scam netted over $100,000, and three people were charged, including the alleged 17-year-old mastermind.