With organizations increasingly moving to the cloud, insurance sensitive data was not more important. While cloud computing provides flexibility and expansion, it also opens the door to a set of safety risks.
From sophisticated bad operations to complex threats from the inside, cloud security violations have cost companies huge sums of money and millions of private information retreated for users. In this article, we explore 10 high -level cloud security failures, each provides a vital lesson in the importance of strong security practices. These realistic incidents act as warning tales for companies that depend on cloud services, providing the main meals to help prevent the following main breach.
Here's what happened wrongly, what could have been done differently and how companies could enhance their defenses against the advanced sophisticated scene of cloud security threats.
1. Dropbox (2012)
The accident: The infiltrator obtained the Dropbox user accreditation data through a violation of an external authority and the files stored for users, and exposed millions of accounts.
Response: Dropbox decided that user names and passwords stolen from other websites were used to log in to “small number” of Dropbox accounts. The company contacted users, and offered to help them protect their accounts.
“The stolen password has also been used to access the Dropbox account for the employee who has a project document with the user email addresses. We believe that this improper access is what led to random mail,” said Aditya Agarwal, who was the Vice President of Engineering at Dropbox. He added that Dropbox was putting additional controls in place to help ensure that the problem was not repeated.
The cloud storage company has chosen to submit a 2FA (2FA) authentication and reinforced security monitoring to prevent violations in the future. Later, in 2016, it was revealed that the violation had affected more than 68 million user accounts. Dropbox paid users who have not changed their passwords since 2012 to do this as a precautionary measure.
Lesson: The importance of strong, multi -factor authentication (MFA) and monitoring of unusual login activity.
2. Snapchat (2014)
The accident: The infrastructure -based infrastructure in Snapchat has been hacked due to weaknesses in the way you deal with user data. The infiltrators took advantage of the cloud systems and leaked millions of pictures.
Answer: In this data leakage, which is often referred to as “Snappening, Snapchat itself has not been hacked directly. Instead, Snapchat applications that have stored Snapchat's photos were hacked. A company spokesman said:” Snapchatters has been victimized by using the third airline applications to send and receive.
We explicitly prohibit third -party applications that reach our service, because they are subjected to “user safety”. Snapchat warned users of third -party applications and improved their safety policies to help prevent unauthorized access.
Lesson: It can prevent the appropriate safety measures for user data and processing in cloud storage to leak block data.
3. Uber (2016)
The accident: The infiltrators reached the storage based on the Uber's groom and obtained personal data from 57 million users and driver. Uber initially failed to report the breach.
Answer: Uber's executive officials at the end of the breach in 2017, but only after it was announced. The transportation company confirmed that 57 million accounts were at risk, including names, email addresses and phone and drivers' phone numbers. Instead of reporting the breach at the time, Uber pushed 100,000 dollars under the curtain of the insect bonus to delete data and stay silent.
In November 2017, Dara Joshroshi, who became the CEO of Uber after the violation, admitted Uber to uncover the accident soon. He said: “None of this should happen, and I will not make excuses for that. We are changing the way we work. We are taking steps to make sure we are doing the right thing to move forward.”
Joe Sullivan, Uber civil society organizations, was later fired and charged with covering up the penetration. Public prosecutors accused him of obstructing justice by classifying the breach as the payment of an insect reward. During his trial in 2022, Sullivan defended his actions, saying: “I was following the operations that were present in Uber at that time.”
However, he was convicted of obstruction of justice, as it was first identified for a security executive official on charges of abuse of data breach. After this scandal, Uber strengthened its security policies and reached a $ 148 million settlement for its failure to reveal the breach.
Lesson: Monitoring and securing cloud storage capacity, imposing strict control of access, and ensuring appropriate response protocols to respond to accidents.
4. AWS S3 Breach (2017)
The accident: A huge data leakage occurred when the companies were mistakenly left the AWS S3 can be reached publicly. These sensitive data like client information, internal business documents, and private communications.
Answer: AWS emphasized that the violations were not due to the weaknesses in AWS itself, but rather the bad formations by customers who left the S3 storage inadvertently to be publicly reached.
The cloud computing provider issued a statement showing that these violations were the result of the user's mistake, explaining: “Amazon S3 is safely safe, and access to the bulldozer is controlled by the customer. We provide clear guidelines and tools to customers to form their resources safely.”
AWS continued to offer additional safety features and improvements to help customers protect their data.
The following year, AWS CISO, Stephen Schmidt, addressed these concerns in AWS Re: He invented 2017.
Lesson: Always make care of access permits carefully and review the cloud storage regularly for safety risks.
5. Accenture (2017)
The accident: Acceneau has accidentally revealed the internal cloud databases, which contains sensitive information for the customer, including passwords, due to the weak safety configurations.
Answer: Upon discovery, Accenture secured the exposed data immediately and stated: “There was no danger to any of our customers – active accreditation data, PII or any other sensitive information have not been hacked.”
He also made it clear that open information did not grant access to customer systems and was not related to production or applications.
Lesson: Always encrypt sensitive data and carefully manage access to the infrastructure -based infrastructure.
6. Gaytap (2018)
The accident: GitHub witnessed the huge DDOS attack that benefited from the cloud's ability to expand. GitHub's infrastructure was immersed, but the accident showed how cloud services can enable and relieve large -scale attacks.
Response: This DDOS attack was one of the largest people who were ever recorded at the time, as it peaked at 1.35 TERABITS per second (TBPS). It was an attack on the altar amplification, which has benefited from the uninterrupted Memcrated servers to flood the GitHub infrastructure with traffic.
After successfully alleviating the attack, the GitHub engineering team published a blog publication showing the accident. He stated: “Between 17:21 and 17:30 UTC, Gybeth was affected by the DDOS volumetric attack.
“This was the largest DDOS attack that we witnessed-the world-at that time. The cloud-based mitigation strategies help absorb the massive traffic.”
Lesson: Cloud services are incredibly developed, but it is necessary to develop DDOS diluting strategies in place, even in cloud environments.
7. Capital (2019)
The accident: The wrong AWS S3 bucket revealed sensitive data from more than 100 million customers. A former AWS employee took advantage of a security vulnerability, access to personal information, dozens of credit and bank details.
Answer: On July 29, 2019, Capital One announced that on July 19, 2019, I decided that there is an unauthorized access to an external person who obtained certain types of personal information related to people who applied for his credit card products and credit card agents.
Capital I said it immediately fixed the formation loophole that was exploited and immediately began to work with the implementation of the federal law. The individual responsible for the breach was arrested by the FBI, the capital offered free credit monitoring and the protection of identity to the affected people.
Lesson: The importance of the appropriate training management and control of access to cloud services.
8. Microsoft (2019)
The accident: In 2019, Microsoft revealed millions of customer support records due to the wrong cloud storage settings. The data was stored in storing Azure Blob, and it was discovered that the records, which included customer support tickets and other sensitive information, can be accessed before due to incorrect security configurations.
Answer: Microsoft has quickly secured exposed data and admitted that the third party seller was responsible for the error. They made it clear that the data was not accessed by harmful actors, but was publicly visible due to poor formation. Microsoft has prevented similar incidents in the future by tightening safety protocols to store the cloud.
Lesson: This incident highlights the decisive importance of properly creating cloud storage capacity and enforcing the appropriate access controls. Regular security and monitoring audits are necessary to determine the limit of weaknesses before their exploitation.
9. Facebook (2019)
An accident: Facebook displays more than 540 million records through uninterrupted cloud storage, including data such as user comments, likes, and reactions, which makes it vulnerable to external access.
Answer: After the exposure was discovered, Facebook admitted that the third party developers were responsible for the unintended storage. Facebook explained that the data was not leaked directly from its own systems, but it was the result of incorrect safety practices by app developers who used Facebook applications programming facades to collect user data.
According to Facebook's action, the third -party developer was notified and encouraged them to fix the security weaknesses. It also restricts access to the application programming interface that allowed applications to collect such data, which makes it difficult to leak future data to occur due to poor formations.
Lesson: Make sure to properly form cloud storage and implement encryption to protect data in the rest.
10. Slack (2020)
The accident: The cloud infrastructure was hacked in Slack after the API code was publicly exposed to the employee. This allowed the unauthorized access to sensitive companies' data.
Response: Slack admitted and provided details of customers on how to deal with the accident. He stressed that the accident was limited in the range and did not lead to a broader compromise solution.
In the blog post, he stated: “We decided that the accident was the result of the open API code. It allowed unauthorized access to certain parts of our system. The problem has been completely resolved and the unique output symbol was nullified.”
The company also confirmed that no sensitive user data (such as private messages or account accreditation data) was subjected to breach.
Slack has updated its security practices about the management of API, and encouraged institutions to use safer methods to deal with API symbols and adopt additional authentication measures to prevent future accidents.
Lesson: Monitoring and recycling the distinctive symbols of the national interface and its rotation regularly to alleviate the risk of misuse.
A picture from Akash Kumar from Pixiabay
Do you want to learn more about cybersecurity and cloud from industry leaders? Chear Security & Cloud Expo, which is held in Amsterdam, California, and London.
Explore the upcoming web events and seminars with which Techforge works here.
