OPSEC-OKTA-2023

Beginning around October 9, 2024, the Internet Archive suffered overlapping attacks rooted in unrotated, exposed authentication tokens. A plaintext GitLab token left in a publicly accessible config file on a dev server (exposed since at least December 2022 and never rotated) let an attacker download source code containing further embedded database credentials, enabling exfiltration of a user database of around 31 million users with emails and bcrypt-hashed passwords. A JavaScript defacement and DDoS attacks accompanied it. On October 20, 2024, an unrotated Zendesk API token, also exposed via the same token mismanagement, was used to access more than 800,000 support tickets, some containing personal ID documents.

Publicly disclosed January 30, 2024, a Mercedes-Benz employee accidentally committed a GitHub authentication token to a public repository, leaving it exposed from September 29, 2023. RedHunt Labs found the token during an internet-wide scan; it granted unrestricted, unmonitored access to Mercedes-Benz's internal GitHub Enterprise Server, allowing anyone to download private source-code repositories that could contain API keys, cloud access keys, database connection strings, blueprints, and SSO passwords. After notification, the token was revoked on January 24, 2024. Mercedes-Benz stated customer data was not affected but could not confirm whether anyone besides the researchers accessed the repositories during the exposure window.

Disclosed January 19, 2024, the Russian SVR-linked actor Midnight Blizzard breached Microsoft's corporate tenant by password-spraying a legacy, non-production test account that had a weak password and no MFA, using residential proxies to evade detection. The actor then abused a malicious OAuth application, leveraging the test account's permissions to grant itself Exchange Online full_access_as_app rights and read corporate mailboxes. A small percentage of corporate email accounts were accessed, including senior leadership and staff in cybersecurity and legal functions, with some emails and attachments exfiltrated. A later update noted attempts to use exfiltrated secrets and source-code repository access.

Disclosed October 6, 2023, 23andMe was hit by a credential-stuffing campaign running from about April 2023, in which the attacker reused username/password pairs leaked from unrelated prior breaches. Because many users reused passwords, roughly 14,000 accounts were directly compromised; 23andMe's own systems were not breached, but it failed to detect or throttle the automated logins and did not enforce MFA. From those accounts, the attacker abused the opt-in DNA Relatives and Family Tree features to scrape data on approximately 6.9 million additional individuals, including names and ancestry estimates, with curated ethnicity lists advertised for sale. Downstream fallout included an approximately $30 million class-action settlement, regulatory fines, and the company's eventual bankruptcy.

Microsoft's AI research team shared open-source training data via an Azure Storage Shared Access Signature (SAS) token committed to a public GitHub repo around July 2020. The token was misconfigured to scope access to the entire storage account with full-control permissions instead of the intended read-only bucket, so anyone with the link could view, delete, and overwrite files. Wiz researchers discovered it in June 2023, finding 38 terabytes of exposed internal data including two employees' workstation disk backups with secrets, private keys, passwords, and over 30,000 internal Teams messages. Writable pickle-format models created a model-poisoning supply-chain risk; Microsoft revoked the token and reported no customer data was exposed.

On July 14, 2023, a Sourcegraph engineer accidentally committed an active site-admin access token in a pull request, and automated secret-scanning controls failed to catch it. On August 30, 2023, an attacker used the leaked token to elevate a newly created account to site-admin and access the administrative dashboard. The attacker raised API rate limits and created a public proxy app granting arbitrary users free access to Sourcegraph's APIs and underlying LLM, with instructions spreading widely online. License-key recipient names and emails, a subset of customer license keys, and community account email addresses were exposed; Sourcegraph stated no private code or passwords were compromised.