How a Massive NHI Attack Compromised 230 Million Cloud Identities

Read full article here: https://astrix.security/learn/blog/massive-nhi-attack-insecure-aws-stored-credentials-lead-to-compromise-of-230-million-cloud-environments/?utm_source=nhimg

Researchers from Unit 42 have uncovered one of the largest Non-Human Identity (NHI)–driven cyberattacks to date, compromising over 230 million AWS, cloud, and SaaS environments. The attack exploited insecurely stored environment variable files (.env) on public web servers — files that often contain sensitive credentials such as AWS access keys, API tokens, and database passwords. By harvesting and abusing these credentials, attackers gained unauthorized access to vast cloud infrastructures, escalating privileges and deploying automation to expand their reach.

The campaign reveals a critical security blind spot: Non-Human Identities like API keys, tokens, and service accounts remain poorly governed and often left exposed. The attackers’ use of AWS API calls such as GetCallerIdentity and ListBuckets demonstrates their deep familiarity with cloud-native exploitation techniques. Once initial access was achieved, the threat actors created new administrator roles, launched malicious AWS Lambda functions, and recursively scanned more domains for exposed credentials — creating a self-propagating attack chain.

The Scope of the Attack

Unit 42 discovered that over 110,000 domains were compromised, exposing nearly 90,000 unique environment variables. Among the stolen data were 1,185 AWS access keys, OAuth tokens from PayPal, GitHub, and HubSpot, and Slack webhooks — many of which were later used to steal sensitive data or deliver ransomware demands. Attackers also targeted Mailgun credentials, indicating a likely pivot toward phishing operations at scale. Using tools like S3 Browser, they exfiltrated and deleted corporate data, leaving ransom notes addressed to company stakeholders.

Despite using Tor nodes and VPNs, traces were found linking the operation to actors in Ukraine and Morocco. This campaign underscores the growing sophistication of NHI abuse and the inadequacy of traditional security practices that focus only on human users.

Key Lessons and Prevention Strategies

This incident highlights the urgent need for robust NHI security hygiene across AWS and multi-cloud environments. Organizations must:

• Enforce least privilege on all NHIs to reduce potential blast radius.
• Decommission unused identities to minimize attack surfaces.
• Automate detection and remediation of misconfigured or stale NHIs.
• Continuously scan for exposed secrets and rotate compromised credentials.
• Deploy anomaly detection systems to identify abnormal API or access behavior in real time.

Astrix’s Approach to NHI Protection

Astrix enables enterprises to Discover, Secure, and Monitor all Non-Human Identities across cloud and SaaS environments. By providing deep visibility into permissions, ownership, and active risks, Astrix helps organizations answer critical questions: Which NHIs exist? What can they access? Who owns them? Most importantly, Astrix empowers teams to remediate vulnerabilities instantly — preventing lateral movement, privilege escalation, and secret sprawl before they become breaches.

The Massive NHI Attack serves as a powerful reminder that identity is now the new perimeter, and securing NHIs is not optional — it’s foundational to modern cloud defense.