40 Non-Human Identity Breaches
In this post the NHI Mgmt Group highlights the most comprehensive view ever shared of Non-Human Identity (NHI) Breaches, covering 40 breaches that have occurred over the last few years.
This should be a Wake-Up call to all organisations, that they are sitting on a a huge exposure around Non-Human Identities i.e. Service Accounts, Machine Identities, Workload Identities, API Keys, OAuth Tokens, Certificates, Secrets etc.
Non-Human Identities are the primary attack vector used by External / Internal Threat Actors to compromise systems and steal data. With the adoption of Cloud and SaaS services, this has created a huge Secrets Sprawl problem, leaving organisations further exposed to 3rd Party Supply Chain Attacks, as can be seen from many of the breaches detailed below.
BeyondTrust Breach Causes Major Incident at US Treasury
In December 2024, BeyondTrust, a leading cybersecurity solutions provider identified anomalous activities against instances of its Remote Support Software-as-a-Service (SaaS) platform as a result of a compromised API key being exploited. Later that month the US Treasury announced a “major incident” that its systems were hacked a result of this breach, with employee workstations getting accessed including some unclassified documents.
In November 2024, Schneider Electric, confirmed a significant cybersecurity incident including unauthorized access to its internal project management system. The attacker exploited exposed credentials to gain access to Schneider Electric’s Jira server to extract a 40GB of sensitive data.
In October 2024, Permiso Security reported attackers were hijacking LLM models on cloud infrastructure to run rogue chatbot services. Threat actors leveraged AWS access keys to hijack Anthropic models provided by AWS Bedrock, for Dark Roleplaying.
In October 2024, a significant cybersecurity incident known as Emerald Whale shocked the DevOps community. This incident revolved around exposed Git configuration files, an apparently simple misconfiguration that resulted in the theft of over 15,000 sensitive data and unauthorized access to over 10,000 private repositories.
In October 2024, the Internet Archive fell victim to a major data breach affecting 31 million user accounts. Unsecured authentication tokens in their GitLab repository, which were left accessible for almost two years, were the cause of this incident. Threat actors exploited these tokens to gain access to critical systems, databases, and user data.
In October 2024, Cisco experienced a significant cybersecurity breach related to Non-Human Identities (NHIs). The threat actor ‘IntelBroker’ exploited exposed credentials, API tokens, and keys located in DevHub, Cisco’s public development environment.
In September 2024, a security researcher recently demonstrated how a series of flaws in a CI/CD environment resulted in a full server takeover. The attack started with an exposed .git directory, progressed through mismanaged CI/CD pipeline configurations and ended up with unauthorized server access.
230 Million AWS Cloud Environments Compromised
In August 2024, many organizations fell victim to a recent large scale extortion campaign targeted improperly configured cloud environments. Attackers exploited unsecure environment variable files (.env) in these environments.
In June 2024, Hugging Face, which is considered as a leading company and AI platform, announced a security breach targeting its Spaces Platform. The incident included unauthorized access to authentication secrets (API keys and tokens), which could lead to the compromise of sensitive data and disrupt workflows.
In June 2024, the New York Times (NYT), a media powerhouse known for its reporting excellence, became the subject of headlines for an entirely different reason: a significant cybersecurity breach.
In June 2024, GitHub users fell victim to an extortion campaign targeting their repositories. The threat actor gained unauthorized access to GitHub accounts using stolen credentials that seemed to be acquired from previous breaches.
In May 2024, Snowflake fell victim to a major cybersecurity breach in May 2024. The breach compromised data from major organizations, including Ticketmaster and Santander Bank, highlighting the weaknesses in cloud environments when it lacks efficient security measures.
In May 2024, Dropbox Sign experienced a significant security breach. Attackers exploited compromised backend service account which granted them the ability to access the customers database which led to the exposure of sensitive user data, including email addresses, usernames, hashed passwords, and account authentication details like API keys and OAuth tokens.
In May 2024, a critical vulnerability (CVE-2024-37051) with a CVSS score of 9.3, was reported in JetBrains’ GitHub plugin for IntelliJ-based IDEs. This vulnerability exposed GitHub access tokens to malicious third parties.
In April 2024, Sisense reported a security breach from unauthorized access to Sisense’s self-managed GitLab Instance, which led to the exfiltration of huge amounts of data, including access tokens, API keys, passwords, and certificates.
In March 2024, security researchers discovered that misconfigurations in Google Firebase instances had exposed over 19.8 million secrets. Google Firebase is a popular Backend-as-a-Service (BaaS) platform used by developers to manage databases, storage, and authentication for their applications.
Microsoft Midnight Blizzard Breach
In January 2024, Microsoft detected a cyberattack planned by the Russian state-sponsored group Midnight Blizzard (also known as Nobelium or APT29). The attacker exploited a legacy, non-production test tenant account without multi-factor authentication (MFA).
In November 2023, SAP a global software giant, made headlines after researchers discovered that over 95 million artefacts including sensitive Kubernetes secrets were exposed through public GitHub repositories and misconfigured systems.
In November 2023, a significant security incident was uncovered involving the exposure of thousands of hardcoded secrets in packages hosted on the Python Package Index (PyPI). This incident revealed that thousands of PyPI packages contained hardcoded secrets, such as API keys, database credentials, and authentication tokens
In November 2023, Sumo Logic detected unauthorized access to one of its AWS accounts. Investigations revealed that the attackers used compromised credentials to gain access to the AWS account.
In November 2023, Cloudflare disclosed a significant breach involving their internal Atlassian systems. The intrusion occurred after attackers used credentials stolen during the October 2023 Okta breach.
In October 2023, Okta, a leader in identity and access management (IAM), suffered a supply chain breach that exploited a compromised service account.
In July 2023, JumpCloud, a well-known directory-as-a-service provider, made headlines by invalidating all administrator API keys in response to a suspected security breach. This move, impacted thousands of organizations globally.
In July 2023, a sophisticated cyberattack shook the developer community, targeting GitHub repositories at an unprecedented scale. Threat actors exploited stolen GitHub personal access tokens to inject malicious code into hundreds of repositories, masquerading the commits as legitimate contributions by Dependabot, a widely used automated dependency management tool.
In June 2023, Microsoft experienced a major security breach that left many businesses and government agencies vulnerable. The breach, dubbed the Azure Key Breach, exposed a key security flaw in how Microsoft managed cryptographic keys used to validate access to its services, including Azure Active Directory (AAD) and Exchange Online.
In June 2023, Microsoft AI researchers inadvertently exposed 38TB of sensitive internal data while publishing open-source training materials on GitHub. The data included private keys, passwords, internal Teams messages, and backups of two employee workstations. The breach resulted from a misconfigured Azure Shared Access Signature (SAS) token used to share files.
In May 2023, a significant cybersecurity incident exposed sensitive Polish military data through a forgotten, outdated password. The issue began when login credentials to a mapping database (ArcGIS) were shared in a 2020 email.
In March 2023, Twitter faced a significant cybersecurity breach when it’s source code was leaked on GitHub by an unknown user, identified as “FreeSpeechEnthusiast”.
In January 2023, TT-Mobile reported a data breach affecting 37 million accounts. The breach, caused by a vulnerable Application Programming Interface (API), exposed customer data over nearly six weeks.
In January 2023, CircleCI (CI/CD) platform, fell victim to a major security breach. The breach was detected when CircleCI was alerted to suspicious GitHub OAuth activity by one of their customers.
In January 2023, Slack a leading collaboration platform, experienced a security breach involving the unauthorized access of private code repositories hosted on GitHub.
GitHub Personal Account Breach
On December 6, 2022, GitHub identified a security breach where an unauthorized actor accessed repositories from GitHub Desktop, Atom, and other deprecated GitHub-owned organizations. The breach occurred due to the compromise of a Personal Access Token (PAT) associated with a machine account.
In October 2022, Toyota disclosed a data breach resulting from a misconfigured public GitHub repository that had unknowingly exposed a hardcoded access key for five years.
In September 2022, Microsoft disabled compromised verified partner accounts exploited by attackers to conduct OAuth phishing campaigns.
On September 15, 2022, Uber Technologies Inc. faced a significant cybersecurity breach that exposed vulnerabilities within its internal systems, involving lateral movement across multiple systems.
In April 2022, Mailchimp confirmed that attackers gained unauthorized access to an internal customer support and account administration tool. This breach affected approximately 133 customers.
In April 2022, attackers exploited stolen OAuth tokens issued by third-party integrators Heroku and Travis CI to gain unauthorized access to GitHub repositories.
In October 2021, Twitch, the popular live streaming platform, suffered a significant data breach, that exposed a significant portion of its internal source code. The leak included 200GB of data, which attackers made public, including credentials, secrets, API keys, and even configuration files.
In April 2021, a supply chain attack targeted Codecov, a popular tool for measuring code coverage in software projects. The breach exploited a vulnerability in Codecov’s infrastructure, leading to the compromise of its Bash Uploader script.
In March 2021, the Sakura Samurai, an ethical hacking group, conducted a responsible vulnerability disclosure campaign. They used various reconnaissance and exploitation techniques to expose significant flaws in the cybersecurity defences of several Indian government organizations.
In January 2021, The United Nations data breach exposed the shocking reality that even the most high-profile organizations of the world may be blind to some pretty simple but catastrophic cybersecurity oversights.
Are you concerned about NHI Risks within your organisation ?
Our NHI Mgmt Group is the market leading research and advisory firm in the Non-Human Identity space. We provide independent guidance and advice for clients looking to manage the risks around Non-Human Identities
Our team has been advising, establishing and managing global regulatory IAM / NHI programs for over 25 years at major financial institutions.
We have the most comprehensive Knowledge Centre on NHIs including foundational Articles on NHIs, Industry White-Papers, Major Breaches, Research Reports, Blogs, Educational Videos, Industry Surveys, Newsletters as well as details of Products that support the risk management of NHIs.
Our NHI Mgmt Group was founded by an IAM Industry Veteran, who has managed global regulatory NHI programs, author of major White-Papers and Research articles on NHIs, established the thriving NHI LinkedIn Community Group and recognised as the #1 NHI Evangelist / Voice in the industry.
Contact us if you would like to get some independent guidance and advice on how to start tackling Non-Human Identity Risks.
Note - we sourced the initial reporting of these breaches from a number of places including Bleeping Computer, Security Week, Astrix Security, GitGuardian, Oasis Security, Entro Security, Permiso Security, Aembit.