Amazon Business
Company Details
Linkedin ID:
amazon-business
Employees number:
14,873
Number of followers:
172,234
NAICS:
43
Industry Type:
Homepage:
amazonbusiness.com
IP Addresses:
0
Company ID:
AMA_1524782
Scan Status:
In-progress
Amazon Business Company CyberSecurity Posture
amazonbusiness.com
Think there’s a better way to buy for business? So do we. That’s why Amazon Business is changing the world of procurement. We simplify the purchasing process to make it easier for our customers to get the products they need. We solve for our customers’ unmet and undiscovered needs — continuously expanding our selection and adding relevant new tools and features. We’re right for any organization at any stage — starting, growing, transforming. And it’s our instinct to invent — we purposefully question what others don’t, creating unexpectedly better ways of getting things done. This is the official global LinkedIn page for Amazon Business. Follow us for updates.
Amazon Business A.I CyberSecurity Scoring
Amazon Business Risk Score (AI oriented)Between 750 and 799
Amazon Business
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Amazon Business Global Score (TPRM)XXXX
Amazon Business
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Amazon Business Company CyberSecurity News & History
Past Incidents
26
Attack Types
5
| Entity | Type | Severity | Impact | Seen | Blog Details | Supply Chain Source | Incident Details | View | |
|---|---|---|---|---|---|---|---|---|---|
| Amazon Business | Cyber Attack | 85 | 4 | 1/2026 | |||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: Critical Phishing Campaign Targets LastPass Users in Sophisticated Attack A high-severity phishing campaign targeting LastPass users began on January 19, 2026, with attackers impersonating the company’s support team to steal master passwords. The fraudulent emails falsely claim an urgent need for vault backups within 24 hours, leveraging social engineering to exploit user trust. LastPass has confirmed that it never requests master passwords or demands immediate vault backups via email, emphasizing that legitimate communications avoid unsolicited urgent actions. The campaign was strategically launched over a U.S. holiday weekend, a tactic designed to capitalize on reduced security staffing and slower incident response times commonly exploited by threat actors to evade detection. The phishing infrastructure relies on two key components: an initial redirect hosted on compromised AWS S3 buckets and a spoofed domain mimicking LastPass’s legitimate services. LastPass is actively working with third-party partners to dismantle the malicious infrastructure and urges users to delete any suspicious emails and report them to [email protected] for further analysis. Organizations are advised to bolster email security controls to block messages from identified sender addresses and reinforce phishing awareness, particularly regarding urgent language and credential requests. The incident underscores the persistent risk of credential harvesting campaigns targeting password manager users. | |||||||||
| Amazon Business | Cyber Attack | 25 | 1 | 12/2025 | |||||
Rankiteo Explanation : Attack without any consequencesDescription: FIN6 Exploits Cloud Infrastructure in Sophisticated HR-Targeted Phishing Campaign The financially motivated cybercrime group FIN6 (also known as *Skeleton Spider*) is leveraging fake job applications and trusted cloud services to target human resources (HR) professionals in a highly evasive social engineering campaign. Researchers at DomainTools uncovered the operation, which combines professional networking platforms like LinkedIn and Indeed with malware-hosted cloud infrastructure to bypass traditional security defenses. ### How the Attack Works 1. Initial Contact – Attackers pose as job seekers on professional platforms, engaging recruiters to build rapport before sending phishing emails with malicious links. 2. Fake Resume Sites – Domains mimicking real applicant names (e.g., *bobbyweisman[.]com*, *ryanberardi[.]com*) are registered via GoDaddy’s anonymous services and hosted on AWS EC2 or S3, blending into legitimate cloud traffic. 3. Sophisticated Evasion – The sites employ traffic filtering to distinguish targets from security researchers, checking IP reputation, geolocation, OS, and browser fingerprints. Only residential Windows users bypass CAPTCHA walls to receive malicious ZIP files containing the More_eggs backdoor. 4. Malware Deployment – More_eggs, a modular JavaScript backdoor, operates in memory to evade detection, enabling credential theft, command execution, and follow-on attacks, including ransomware deployment. ### Why HR is a Prime Target HR teams frequently interact with external contacts and handle unsolicited communications, making them vulnerable to social engineering. The campaign exploits this trust, using realistic job lures to bypass email filters and endpoint security. FIN6’s shift from point-of-sale (POS) breaches to enterprise ransomware underscores its evolution toward higher-value targets. ### Cloud Abuse & Detection Challenges Attackers favor AWS and other cloud platforms due to: - Low-cost setup (free-tier abuse or compromised billing accounts). - Trusted IP ranges that evade enterprise network filters. - Scalability for hosting malicious infrastructure. The campaign highlights gaps in perimeter-based security, as traditional defenses struggle to detect threats embedded in legitimate cloud services. Security teams are advised to monitor for unusual traffic patterns and suspicious file types linked to cloud-hosted malware. ### AWS Response & Broader Implications An AWS spokesperson stated the company enforces terms prohibiting illegal use and acts swiftly on abuse reports. However, the incident raises questions about balancing cloud accessibility with security controls, particularly as threat actors increasingly exploit trusted infrastructure. FIN6’s operation demonstrates how low-complexity phishing, when paired with cloud evasion techniques, can outmaneuver even advanced detection tools reinforcing the need for holistic security strategies that address both technical and human vulnerabilities. | |||||||||
| Amazon Business | Vulnerability | 25 | 1 | 12/2025 | NA | ||||
Rankiteo Explanation : Attack without any consequencesDescription: AI Systems Under Siege: Every Organization Targeted in Past Year, Unit 42 Finds A new report from Palo Alto Networks’ Unit 42 reveals a stark reality: every organization surveyed has faced at least one attack on its AI systems in the past year. The findings, derived from a survey of over 2,800 participants across 10 countries including the U.S., UK, Germany, Japan, and India highlight a growing and systemic vulnerability in AI security, with cloud infrastructure at the heart of the problem. Conducted between September 29 and October 17, 2025, the research underscores that AI security cannot rely on reactive measures. Instead, organizations must adopt a proactive, scientific approach to safeguarding AI systems, given their complexity and critical applications. The report emphasizes that AI security is inherently tied to cloud infrastructure, where most AI workloads data storage, model training, and application deployment reside. Cloud platforms like AWS, Microsoft Azure, and Google Cloud, while enabling AI scalability, also present prime targets for cyberattacks. Exploitable weaknesses in cloud security can lead to unauthorized access, data theft, or operational disruptions. Traditional security measures often fall short in addressing the unique challenges of AI, such as securing data pipelines, managing identities, and protecting cloud-hosted workloads. The *State of Cloud Security Report 2025* argues that the only effective defense is a holistic approach to cloud security, treating it as foundational to AI protection. This includes enforcing strong policies, encryption standards, regular audits, and isolating AI workloads from cloud vulnerabilities. As AI integrates deeper into sectors like healthcare, finance, and autonomous systems, the stakes rise breaches could compromise sensitive data, disrupt services, or even endanger lives. Emerging threats, such as adversarial attacks designed to manipulate AI models, further complicate the landscape. The report calls for collaboration between cloud providers, AI developers, and security teams to build robust frameworks and real-time threat detection tools. The future of AI security hinges on securing the cloud infrastructure that powers it, ensuring resilience against an evolving threat landscape. | |||||||||
| Amazon Business | Cyber Attack | 50 | 2 | 11/2025 | NA | ||||
Rankiteo Explanation : Attack limited on finance or reputationDescription: AWS Customers Targeted in Large-Scale Cryptocurrency Mining Campaign A new cryptocurrency mining campaign is exploiting compromised AWS Identity and Access Management (IAM) credentials to hijack cloud environments for illicit profit. First detected by Amazon’s GuardDuty service on November 2, 2025, the attack leverages stolen IAM credentials to covertly deploy mining operations within AWS accounts, turning customer resources into cryptocurrency farms. The campaign employs novel persistence techniques, making detection and removal difficult. Attackers bypass standard security measures, embedding themselves within AWS infrastructure and requiring thorough remediation efforts to fully eradicate. The incident highlights vulnerabilities in cloud security, particularly around IAM credential management, as compromised access keys grant attackers unfettered control over AWS resources. GuardDuty’s automated threat detection played a key role in identifying the malicious activity, flagging unusual patterns indicative of unauthorized mining. AWS has urged customers to rotate IAM credentials immediately, enforce multifactor authentication (MFA), and monitor accounts for suspicious configurations. The attack underscores the growing sophistication of cloud-based threats and the need for proactive security measures, including regular audits and automated monitoring, to counter evolving risks in cloud environments. | |||||||||
| Amazon Business | Cyber Attack | 100 | 5 | 10/2025 | NA | ||||
Rankiteo Explanation : Attack threatening the organization’s existenceDescription: AWS experienced a 16-hour global outage on October 20, caused by DNS resolution issues in its US-East-1 region, disrupting hundreds of critical online services worldwide. Affected platforms included Zoom, Canva, banks, airlines, Roblox, Fortnite, Snapchat, and Reddit, with thousands of users in Singapore reporting disruptions via Downdetector. The outage stemmed from a chain of failures: initial DNS problems led to impairments in AWS’s internal subsystem monitoring network load balancers, followed by a backlog of internet traffic requests, prolonging restoration. The incident mirrored the severity of a coordinated cyber attack, exposing vulnerabilities in cloud resilience and overreliance on legacy technologies like DNS. While AWS confirmed increased error rates and latencies, the root cause (hardware error, misconfiguration, or human error) remains undisclosed. The outage underscored risks to global digital infrastructure, prompting regulatory responses like Singapore’s upcoming Digital Infrastructure Act to enforce stricter security and resilience standards for cloud providers. The economic and operational ripple effects highlighted the concentrated risk of single-point failures in cloud services, disrupting businesses, financial transactions, and daily digital activities for millions. | |||||||||
| Amazon Business | Cyber Attack | 60 | 2 | 9/2025 | NA | ||||
Rankiteo Explanation : Attack limited on finance or reputationDescription: Darktrace researchers uncovered a cyber campaign dubbed ShadowV2, exploiting misconfigured exposed Docker APIs on AWS EC2 instances. Attackers leveraged the Python Docker SDK to interact with unsecured Docker daemons, deploying malicious containers directly on victims' systems instead of using prebuilt images likely to minimize forensic evidence. The compromised Docker environments were then repurposed as launchpads for DDoS (Distributed Denial of Service) attacks, turning cloud-native misconfigurations into a scalable attack vector. While AWS Docker instances are not exposed to the internet by default, improper configurations enabled external access, allowing threat actors to infiltrate systems. The attack highlights the industrialization of cybercrime, where DDoS-as-a-service models complete with APIs, dashboards, and user interfaces are commoditized. Although the article does not specify direct financial or data losses, the exploitation of cloud infrastructure for large-scale DDoS operations poses reputational risks, operational disruptions, and potential financial liabilities for AWS customers whose instances were hijacked. The incident underscores the growing sophistication of cybercriminals in weaponizing misconfigured cloud services, with AWS EC2 serving as a primary target in this campaign. While no customer data breaches were reported, the abuse of Docker APIs for malicious purposes could erode trust in AWS’s security posture, particularly among enterprises relying on containerized workloads. | |||||||||
| Amazon Business | Vulnerability | 100 | 5 | 9/2025 | |||||
Rankiteo Explanation : Attack threatening the organization's existenceDescription: AWS CodeBuild Misconfiguration Could Have Enabled Supply Chain Attacks In September 2025, Amazon Web Services (AWS) patched a critical misconfiguration in its AWS CodeBuild service that could have allowed attackers to take over the company’s own GitHub repositories including the AWS JavaScript SDK (aws-sdk-js-v3) potentially compromising millions of AWS environments. The vulnerability, dubbed CodeBreach by cloud security firm Wiz, was disclosed responsibly on August 25, 2025, and stemmed from a flaw in CI pipeline webhook filters. The issue centered on insecure regular expression (regex) patterns in CodeBuild’s webhook filters, which were designed to restrict build triggers to approved GitHub user IDs (ACTOR_ID). However, the filters lacked start (^) and end ($) anchors, allowing any user ID containing an approved sequence (e.g., *755743*) to bypass restrictions. Since GitHub assigns numeric IDs sequentially, Wiz researchers exploited this by generating bot accounts with predictable IDs (e.g., *226755743*) to match trusted maintainers’ IDs. Once an attacker triggered a build, they could leak GitHub admin tokens including a Personal Access Token (PAT) for the *aws-sdk-js-automation* user granting full repository control. This access could have enabled malicious code injection, pull request approvals, and secrets exfiltration, paving the way for supply chain attacks affecting AWS services and dependent applications. The misconfiguration impacted four AWS-managed repositories: - aws-sdk-js-v3 (JavaScript SDK) - aws-lc (cryptographic library) - amazon-corretto-crypto-provider - awslabs/open-data-registry AWS confirmed the flaw was project-specific and not a systemic CodeBuild issue. While no exploitation was detected, the company implemented credential rotations, enhanced build process protections, and stricter regex validation to prevent recurrence. The incident underscores the high-risk nature of CI/CD pipelines, where minor misconfigurations can lead to large-scale breaches. Similar vulnerabilities in GitHub Actions workflows such as pull_request_target misconfigurations have previously exposed projects from Google, Microsoft, and NVIDIA to remote code execution (RCE) and secrets theft. Security researchers emphasize that untrusted code should never trigger privileged pipelines without proper validation. | |||||||||
| Amazon Business | Cyber Attack | 60 | 2 | 7/2025 | NA | ||||
Rankiteo Explanation : Attack limited on finance or reputationDescription: Ring, a subsidiary of Amazon, faced a significant issue on May 28th when customers reported unauthorized devices logged into their accounts from various locations worldwide. While Ring attributed this to a backend update bug, customers remained skeptical, citing unknown devices and strange IP addresses. The company's explanation was met with disbelief, as users saw logins from countries they had never visited and devices they did not recognize. Additionally, some users reported live view activity during times when no one accessed the app and missed security alerts or multi-factor authentication prompts. Ring's lack of clarity and the persistence of the issue have raised concerns among customers about potential security breaches. | |||||||||
| Amazon Business | Vulnerability | 85 | 4 | 6/2025 | NA | ||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: AWS’s Trusted Advisor tool, designed to alert customers if their S3 storage buckets are publicly exposed, was found to be vulnerable to manipulation by Fog Security researchers. By tweaking bucket policies or ACLs (Access Control Lists) and adding deny policies (e.g., blocking `s3:GetBucketPolicyStatus`, `s3:GetBucketPublicAccessBlock`, or `s3:GetBucketAcl`), attackers or misconfigured users could make buckets publicly accessible while preventing Trusted Advisor from detecting the exposure. This flaw allowed potential data exfiltration without triggering security warnings, posing risks of unauthorized access to sensitive data.The issue was privately reported to AWS, which implemented fixes in June 2025 to correct Trusted Advisor’s detection logic. However, concerns remain about inadequate user notifications, as some accounts (including the researcher’s test account) did not receive alerts, leaving them unaware of the need to recheck bucket permissions. AWS recommended enabling Block Public Access settings, retiring legacy ACLs, and using IAM policies for stricter control. Fog Security also released an open-source scanning tool to help users identify misconfigured S3 buckets.The vulnerability highlights risks of insider threats (malicious or accidental), credential compromise, and misconfigurations leading to unintended public exposure of data, potentially affecting customer trust, compliance, and data security. | |||||||||
| Amazon Business | Ransomware | 100 | 5 | 5/2025 | NA | ||||
Rankiteo Explanation : Attack threatening the organization’s existenceDescription: Cybersecurity researchers have warned about a new wave of ransomware attacks targeting AWS S3 buckets, a widely used cloud storage service. Unlike traditional ransomware that encrypts or deletes data, attackers are now abusing cloud-native encryption and key management services to render data permanently unrecoverable. By manipulating built-in AWS capabilities like key rotation and encryption controls, threat actors can lock organizations out of their own storage without triggering typical breach detection mechanisms.The shift reflects an evolution in ransomware tactics, as defenders strengthen perimeter defenses. Organizations relying on S3 buckets for critical data including customer records, financial documents, or proprietary assets face severe operational disruptions if encryption keys are compromised. Recovery may require paying ransoms or accepting irreversible data loss, particularly if backups are also encrypted or inaccessible. The attack method exploits trusted cloud functionalities, making it harder to distinguish malicious activity from legitimate administrative actions.Given AWS’s dominance in cloud infrastructure, successful exploits could cascade across dependent services, affecting businesses, governments, and end-users. The technique underscores the growing sophistication of ransomware groups in targeting cloud environments, where traditional security models may fall short. | |||||||||
| Amazon Business | Vulnerability | 100 | 5 | 12/2024 | |||||
Rankiteo Explanation : Attack threatening the organization's existenceDescription: Tenable Report Highlights Persistent Cloud Security Risks Despite Improvements A recent report by Tenable reveals both progress and ongoing vulnerabilities in cloud security, particularly around "toxic cloud trilogies" publicly exposed, critically vulnerable, and highly privileged cloud instances. Between October 2024 and March 2025, the number of organizations with at least one such instance on AWS or Google Cloud Platform (GCP) dropped from 38% to 29%, while those with five or more declined from 27% to 13%. Despite these improvements, Tenable warns that such exposures remain a pressing concern. The report also uncovered widespread exposure of sensitive data in cloud configurations. Researchers found that 54% of AWS Elastic Container Service (ECS) task definitions and 52% of Google CloudRun environment variables contained confidential information. Additionally, over a quarter of AWS users stored sensitive data in user data fields, with 3.5% of AWS EC2 instances holding secrets posing a significant risk if exploited. AWS hosted the highest proportion of sensitive data (16.7% of its buckets), compared to 6.5% for GCP and 3.2% for Microsoft Azure. While nearly 80% of AWS users have enabled critical identity-checking services, the findings underscore persistent misconfigurations and overconfidence in cloud security measures. The report, released at AWS re:Invent 2024 in Las Vegas, highlights the need for continued vigilance in securing cloud environments. | |||||||||
| Amazon Business | Vulnerability | 60 | 3 | 8/2024 | NA | ||||
Rankiteo Explanation : Attack with significant impact with internal employee data leaksDescription: A vulnerability in Amazon Web Services' Application Load Balancer was discovered by security firm Miggo, which could potentially allow an attacker to bypass access controls and compromise web applications. This vulnerability was not due to a software flaw but stemmed from customers' configuration of the service, particularly the setup of authentication. Researchers identified over 15,000 web applications with potentially vulnerable configurations, though AWS disputes the figure and has contacted customers to recommend more secure setups. Exploiting this vulnerability would involve token forgery by the attacker to obtain unauthorized access to applications, escalating privileges within the system. | |||||||||
| Amazon Business | Breach | 85 | 4 | 7/2024 | NA | ||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: webXray, a tool designed to expose privacy violations on the internet, reveals how tech giants like Google and various websites track user data and browsing habits. Developed by former Google engineer Tim Libert, webXray analyzes web activity to identify which sites collect data, including sensitive information. Such tracking, often without clear user consent, can breach laws like HIPAA and GDPR, posing serious threats to individuals' privacy. The tool aims to empower regulators and attorneys to assess and rectify these violations, promoting a balanced digital ecosystem. | |||||||||
| Amazon Business | Cyber Attack | 100 | 6/2024 | NA | |||||
Rankiteo Explanation : Attack threatening the organization's existence: - Attack which create outage - Attack which disrupt the payment process for a shop / e-commerce website - Attack by criminal hackers (indirectly via systemic exploitation) - Attack which stop a factory (if industrial IoT/operational tech was dependent on AWS) - Attack in which company data exposes (potential secondary breaches due to prolonged vulnerability)Description: AWS, the world’s largest cloud computing platform (30% market share), suffered a major outage due to a malfunction at its Northern Virginia data center. The incident disrupted thousands of organizations globally, including banks (e.g., financial software like Xero), social media platforms (e.g., Snapchat), and other digital services. While AWS claimed to have resolved the underlying issue, residual disruptions persisted for some users. The outage exposed critical vulnerabilities in cloud reliance, triggering cascading failures across dependent systems. Businesses faced operational paralysis, financial losses from downtime, and reputational damage due to service unavailability. The incident underscored risks like single points of failure in centralized cloud infrastructure, vendor lock-in challenges, and geopolitical regulatory complexities. Previous outages by competitors (Microsoft Azure, Google Cloud) in 2024 further highlighted systemic fragility in the oligopolistic cloud market, where a minor technical error can cripple global digital ecosystems. | |||||||||
| Amazon Business | Breach | 50 | 2 | 09/2023 | NA | ||||
Rankiteo Explanation : Attack limited on finance or reputationDescription: Whole Foods Market chain Whole Foods Market Suffered Payment Card Breach. The security breach report states that thieves were able to obtain credit card details of patrons who made transactions at specific locations, such as full-service restaurants and taprooms inside some stores, without authorization. Whole Foods Market was notified of an incident in which payment card information used at select establishments like full-service restaurants and taprooms located within some locations was improperly accessed. The locations and total number of consumers affected by the attack remain unknown, as the company has not released any information about it. | |||||||||
| Amazon Business | Vulnerability | 60 | 3 | 6/2023 | NA | ||||
Rankiteo Explanation : Attack with significant impact with internal employee data leaksDescription: A critical vulnerability (CVE-2025-12779) in the Amazon WorkSpaces client for Linux (versions 2023.0–2024.8) exposes improper handling of authentication tokens, allowing local attackers to extract valid tokens left accessible by the client. This flaw enables unauthorized access to a victim’s private WorkSpaces session, granting control over their virtual environment. The risk is heightened in shared or multi-user Linux systems, where malicious actors could exploit the vulnerability to hijack sessions, access sensitive data, or perform actions on behalf of the compromised user. AWS has released a patch in version 2025.0 and urged immediate updates, but unpatched systems remain exposed to session takeover attacks. While no evidence of active exploitation has been reported, the vulnerability underscores the risks of inadequate token management in cloud-based desktop solutions, potentially leading to data breaches, privilege escalation, or lateral movement within corporate networks if abused in enterprise environments. | |||||||||
| Amazon Business | Data Leak | 85 | 10/2021 | NA | |||||
Rankiteo Explanation : Attack with significant impact with internal employee data leaks.Description: Amazon.com Inc’s live streaming e-sports platform Twitch was hit by a data breach. An anonymous hacker leaked Twitch data, including information related to the company’s source code, clients and unreleased games, according to Video Games Chronicle. The data was exposed due to an error in a Twitch server configuration change and was subsequently accessed by a malicious third party. | |||||||||
| Amazon Business | Cyber Attack | 100 | 6 | 6/2021 | NA | ||||
Rankiteo Explanation : Attack threatening the economy of geographical regionDescription: Russian Sandworm Hackers Target Misconfigured AWS Edge Devices in Multi-Year Campaign Amazon’s Threat Intelligence unit has confirmed that Russian state-sponsored hackers, identified as the Sandworm group (linked to Russia’s GRU military intelligence), conducted a yearslong cyberattack campaign in 2025 targeting misconfigured network edge devices hosted on AWS infrastructure. The attacks focused on energy sector organizations and businesses with cloud-hosted network infrastructure, primarily in Western nations, North America, and Europe. The hackers exploited exposed management interfaces on customer-owned edge devices such as enterprise routers, VPN concentrators, and remote access gateways to gain initial access, harvest credentials, and move laterally within victim networks. Amazon’s Chief Information Security Officer (CISO), CJ Moses, emphasized that the attacks were not due to AWS vulnerabilities but rather customer misconfigurations, which the threat actors leveraged to maintain persistent access while minimizing detection risks. This campaign marks an evolution in Sandworm’s tactics, shifting from zero-day and N-day exploits (used in prior years, including WatchGuard and Veeam vulnerabilities in 2021–2024) to low-effort targeting of misconfigured devices a strategy Moses described as a "concerning adaptation" that achieves the same objectives with reduced resource expenditure. The group’s operations have spanned at least five years, with a sustained focus on critical infrastructure, particularly the energy sector. Amazon has disrupted active threat operations and notified affected customers, though no AWS-specific patches are required. The company continues to collaborate with the security community to counter state-sponsored threats targeting cloud environments. Network analysis revealed that actor-controlled IP addresses established persistent connections to compromised EC2 instances running customer-managed network appliances. | |||||||||
| Amazon Business | Breach | 100 | 5 | 01/2021 | NA | ||||
Rankiteo Explanation : Attack threatening the organization's existenceDescription: A security flaw in Ring’s Neighbors app exposed the precise locations and home addresses of users who had posted to the app. It included the videos taken by Ring doorbells and security cameras and the bug made it possible to retrieve the location data of users who posted to the app. The bug retrieved the hidden data, including the user’s latitude and longitude and their home address, from Ring’s servers. The hackers also created tools to break into Ring accounts and over 1,500 user account passwords were found on the dark web. | |||||||||
| Amazon Business | Data Leak | 50 | 2 | 01/2020 | NA | ||||
Rankiteo Explanation : Attack limited on finance or reputationDescription: Amazon had fired a number of employees after they shared customer email address and phone numbers with a third-party violating of their policies. No other information related to account was shared. | |||||||||
| Amazon Business | Data Leak | 85 | 3 | 01/2020 | NA | ||||
Rankiteo Explanation : Attack with significant impact with internal employee data leaksDescription: Amazon-owned home security camera company Ring fired employees for improperly accessing Ring users' video data. This data can be particularly sensitive though, as customers often put the cameras inside their home. Ring employees in Ukraine were given unrestricted access to videos from Ring cameras around the world. | |||||||||
| Amazon Business | Data Leak | 60 | 4 | 12/2019 | NA | ||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: 3,672 Ring camera owners' login information, including login emails, passwords, time zones, and the names people give to certain Ring cameras, was stolen. This enables a potential assailant to observe cameras in someone's home, which is a grave potential breach of privacy. A hacker might access a Ring customer's home address, phone number, and payment information, including the type of card they have, its last four numbers, and security code, using the login email and password. The nature of the leaked data, which contains a username, password, camera name, and time zone in a standardized format, shows that it was acquired from a company database. | |||||||||
| Amazon Business | Breach | 85 | 4 | 6/2018 | NA | ||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: GDPR Enforcement Remains Strong as Breach Notifications Surge in Europe Data breach notifications across Europe rose by 20% over the past year, even as GDPR fines held steady at €1.2 billion ($1.4 billion) in 2025, according to a report by global law firm DLA Piper. The consistent enforcement levels signal sustained regulatory scrutiny, particularly in areas like AI, supply chain security, and international data transfers. Ireland remained the most active enforcer, issuing the largest fine of 2025 €530 million against TikTok for storing European users’ data on Chinese servers between July 2020 and November 2022 without adequate safeguards or transparency. This marked the first major GDPR penalty for data transfers to a non-U.S. country, expanding concerns beyond transatlantic data flows. Ireland also leads in cumulative fines since GDPR’s 2018 inception, with €4 billion in sanctions, followed by France (€1.1 billion) and Luxembourg (€747 million). Luxembourg’s largest fine €746 million against Amazon Europe Core in 2021 was upheld in March 2025 after the company’s appeal was dismissed. The case remains under seal due to local legal restrictions. Meanwhile, U.S. tech firms continued to face the highest penalties, reflecting persistent tensions over surveillance-driven business models. The European Commission proposed GDPR reforms in November 2024 to simplify compliance, including a unified breach reporting platform managed by ENISA and an extended notification deadline from 72 to 96 hours. The changes aim to reduce overlapping obligations under GDPR, the Network and Information Security Directive 2 (NIS2), and the Digital Operational Resilience Act (DORA), though debates over balancing efficiency with privacy rights are ongoing. In the U.K., enforcement under the post-Brexit Data (Use and Access) Act 2025 has drawn criticism. Over 70 civil society groups and experts urged Parliament to investigate the Information Commissioner’s Office (ICO) after it declined to probe the Ministry of Defense’s 2022 Afghan data breach, which exposed 19,000 individuals fleeing the Taliban. The U.K. government later imposed a super injunction to block public reporting. The new DUA Act, effective June 2025, introduces structural reforms to the ICO, including enhanced investigative powers and transparency requirements. | |||||||||
| Amazon Business | Data Leak | 85 | 4 | 02/2018 | NA | ||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: An Amazon S3 bucket containing scans of about 119,000 US and foreign citizens' IDs and personal information was found by researchers. The firm that owns the data, Bongo International, is owned by FedEx and supports North American retailers' and brands' online sales to customers abroad. In the AWS bucket were over 112,000 files, unencrypted data, and customer ID scans from a wide range of nations, including the US, Mexico, Canada, many EU nations, Saudi Arabia, Kuwait, Japan, Malaysia, China, and Australia. FedEx did not remove the S3 bucket until its presence was made public, despite Kromtech's best efforts to get in touch with them. | |||||||||
| Amazon Business | Breach | 85 | 4 | 3/2017 | NA | ||||
Rankiteo Explanation : Attack with significant impact with customers data leaksDescription: The California Office of the Attorney General disclosed a data breach at Whole Foods Market Services, Inc. in October 2017. The incident involved unauthorized access to payment card information, exposing transactions conducted between March 10, 2017, and September 28, 2017. The breach was detected on September 23, 2017, though the exact number of affected individuals was not specified. The compromised data included customer payment details, potentially enabling fraudulent activity. While the full scope of the breach remains unclear, the exposure of financial information poses risks to customer trust and financial security. The incident highlights vulnerabilities in payment processing systems, emphasizing the need for robust cybersecurity measures to prevent similar breaches in the future. | |||||||||
| Amazon Business | Cyber Attack | 80 | 2 | 01/2016 | NA | ||||
Rankiteo Explanation : Attack limited on finance or reputationDescription: Amazon’s customer service representative was tricked into disclosing Eric Springer, a user’s personal information by an attacker who used social engineering techniques. The attack initiated through the mail ended up in the attacker getting the credit card details along with the address and other details. The incident got all highlighted on the internet and people on the web demanded social engineering training to be given to employees to prevent any such incidents in the future. | |||||||||
Amazon
LinkedIn
Wiz
FortinetLastPass and Amazon Web Services: LastPass Warns of Fake Maintenance Message Tracking Users to Steal Master Passwords
Cyber Attack
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Critical Phishing Campaign Targets LastPass Users in Sophisticated Attack A high-severity phishing campaign targeting LastPass users began on January 19, 2026, with attackers impersonating the company’s support team to steal master passwords. The fraudulent emails falsely claim an urgent need for vault backups within 24 hours, leveraging social engineering to exploit user trust. LastPass has confirmed that it never requests master passwords or demands immediate vault backups via email, emphasizing that legitimate communications avoid unsolicited urgent actions. The campaign was strategically launched over a U.S. holiday weekend, a tactic designed to capitalize on reduced security staffing and slower incident response times commonly exploited by threat actors to evade detection. The phishing infrastructure relies on two key components: an initial redirect hosted on compromised AWS S3 buckets and a spoofed domain mimicking LastPass’s legitimate services. LastPass is actively working with third-party partners to dismantle the malicious infrastructure and urges users to delete any suspicious emails and report them to [email protected] for further analysis. Organizations are advised to bolster email security controls to block messages from identified sender addresses and reinforce phishing awareness, particularly regarding urgent language and credential requests. The incident underscores the persistent risk of credential harvesting campaigns targeting password manager users.
LinkedIn and AWS: FIN6 exploits HR workflows to breach corporate defenses
Cyber Attack
Rankiteo Explanation
Attack without any consequences
Description: FIN6 Exploits Cloud Infrastructure in Sophisticated HR-Targeted Phishing Campaign The financially motivated cybercrime group FIN6 (also known as *Skeleton Spider*) is leveraging fake job applications and trusted cloud services to target human resources (HR) professionals in a highly evasive social engineering campaign. Researchers at DomainTools uncovered the operation, which combines professional networking platforms like LinkedIn and Indeed with malware-hosted cloud infrastructure to bypass traditional security defenses. ### How the Attack Works 1. Initial Contact – Attackers pose as job seekers on professional platforms, engaging recruiters to build rapport before sending phishing emails with malicious links. 2. Fake Resume Sites – Domains mimicking real applicant names (e.g., *bobbyweisman[.]com*, *ryanberardi[.]com*) are registered via GoDaddy’s anonymous services and hosted on AWS EC2 or S3, blending into legitimate cloud traffic. 3. Sophisticated Evasion – The sites employ traffic filtering to distinguish targets from security researchers, checking IP reputation, geolocation, OS, and browser fingerprints. Only residential Windows users bypass CAPTCHA walls to receive malicious ZIP files containing the More_eggs backdoor. 4. Malware Deployment – More_eggs, a modular JavaScript backdoor, operates in memory to evade detection, enabling credential theft, command execution, and follow-on attacks, including ransomware deployment. ### Why HR is a Prime Target HR teams frequently interact with external contacts and handle unsolicited communications, making them vulnerable to social engineering. The campaign exploits this trust, using realistic job lures to bypass email filters and endpoint security. FIN6’s shift from point-of-sale (POS) breaches to enterprise ransomware underscores its evolution toward higher-value targets. ### Cloud Abuse & Detection Challenges Attackers favor AWS and other cloud platforms due to: - Low-cost setup (free-tier abuse or compromised billing accounts). - Trusted IP ranges that evade enterprise network filters. - Scalability for hosting malicious infrastructure. The campaign highlights gaps in perimeter-based security, as traditional defenses struggle to detect threats embedded in legitimate cloud services. Security teams are advised to monitor for unusual traffic patterns and suspicious file types linked to cloud-hosted malware. ### AWS Response & Broader Implications An AWS spokesperson stated the company enforces terms prohibiting illegal use and acts swiftly on abuse reports. However, the incident raises questions about balancing cloud accessibility with security controls, particularly as threat actors increasingly exploit trusted infrastructure. FIN6’s operation demonstrates how low-complexity phishing, when paired with cloud evasion techniques, can outmaneuver even advanced detection tools reinforcing the need for holistic security strategies that address both technical and human vulnerabilities.
Amazon Web Services, Palo Alto Networks, Google Cloud and Wakefield Research: Every organization faced at least one AI-related cyberattack within the last year, says research
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: AI Systems Under Siege: Every Organization Targeted in Past Year, Unit 42 Finds A new report from Palo Alto Networks’ Unit 42 reveals a stark reality: every organization surveyed has faced at least one attack on its AI systems in the past year. The findings, derived from a survey of over 2,800 participants across 10 countries including the U.S., UK, Germany, Japan, and India highlight a growing and systemic vulnerability in AI security, with cloud infrastructure at the heart of the problem. Conducted between September 29 and October 17, 2025, the research underscores that AI security cannot rely on reactive measures. Instead, organizations must adopt a proactive, scientific approach to safeguarding AI systems, given their complexity and critical applications. The report emphasizes that AI security is inherently tied to cloud infrastructure, where most AI workloads data storage, model training, and application deployment reside. Cloud platforms like AWS, Microsoft Azure, and Google Cloud, while enabling AI scalability, also present prime targets for cyberattacks. Exploitable weaknesses in cloud security can lead to unauthorized access, data theft, or operational disruptions. Traditional security measures often fall short in addressing the unique challenges of AI, such as securing data pipelines, managing identities, and protecting cloud-hosted workloads. The *State of Cloud Security Report 2025* argues that the only effective defense is a holistic approach to cloud security, treating it as foundational to AI protection. This includes enforcing strong policies, encryption standards, regular audits, and isolating AI workloads from cloud vulnerabilities. As AI integrates deeper into sectors like healthcare, finance, and autonomous systems, the stakes rise breaches could compromise sensitive data, disrupt services, or even endanger lives. Emerging threats, such as adversarial attacks designed to manipulate AI models, further complicate the landscape. The report calls for collaboration between cloud providers, AI developers, and security teams to build robust frameworks and real-time threat detection tools. The future of AI security hinges on securing the cloud infrastructure that powers it, ensuring resilience against an evolving threat landscape.
Amazon Web Services: AWS Customers Targeted in Cryptocurrency Mining Campaign Using Stolen IAM Credentials
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: AWS Customers Targeted in Large-Scale Cryptocurrency Mining Campaign A new cryptocurrency mining campaign is exploiting compromised AWS Identity and Access Management (IAM) credentials to hijack cloud environments for illicit profit. First detected by Amazon’s GuardDuty service on November 2, 2025, the attack leverages stolen IAM credentials to covertly deploy mining operations within AWS accounts, turning customer resources into cryptocurrency farms. The campaign employs novel persistence techniques, making detection and removal difficult. Attackers bypass standard security measures, embedding themselves within AWS infrastructure and requiring thorough remediation efforts to fully eradicate. The incident highlights vulnerabilities in cloud security, particularly around IAM credential management, as compromised access keys grant attackers unfettered control over AWS resources. GuardDuty’s automated threat detection played a key role in identifying the malicious activity, flagging unusual patterns indicative of unauthorized mining. AWS has urged customers to rotate IAM credentials immediately, enforce multifactor authentication (MFA), and monitor accounts for suspicious configurations. The attack underscores the growing sophistication of cloud-based threats and the need for proactive security measures, including regular audits and automated monitoring, to counter evolving risks in cloud environments.
Amazon Web Services (AWS)
Cyber Attack
Rankiteo Explanation
Attack threatening the organization’s existence
Description: AWS experienced a 16-hour global outage on October 20, caused by DNS resolution issues in its US-East-1 region, disrupting hundreds of critical online services worldwide. Affected platforms included Zoom, Canva, banks, airlines, Roblox, Fortnite, Snapchat, and Reddit, with thousands of users in Singapore reporting disruptions via Downdetector. The outage stemmed from a chain of failures: initial DNS problems led to impairments in AWS’s internal subsystem monitoring network load balancers, followed by a backlog of internet traffic requests, prolonging restoration. The incident mirrored the severity of a coordinated cyber attack, exposing vulnerabilities in cloud resilience and overreliance on legacy technologies like DNS. While AWS confirmed increased error rates and latencies, the root cause (hardware error, misconfiguration, or human error) remains undisclosed. The outage underscored risks to global digital infrastructure, prompting regulatory responses like Singapore’s upcoming Digital Infrastructure Act to enforce stricter security and resilience standards for cloud providers. The economic and operational ripple effects highlighted the concentrated risk of single-point failures in cloud services, disrupting businesses, financial transactions, and daily digital activities for millions.
AWS (Amazon Web Services)
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Darktrace researchers uncovered a cyber campaign dubbed ShadowV2, exploiting misconfigured exposed Docker APIs on AWS EC2 instances. Attackers leveraged the Python Docker SDK to interact with unsecured Docker daemons, deploying malicious containers directly on victims' systems instead of using prebuilt images likely to minimize forensic evidence. The compromised Docker environments were then repurposed as launchpads for DDoS (Distributed Denial of Service) attacks, turning cloud-native misconfigurations into a scalable attack vector. While AWS Docker instances are not exposed to the internet by default, improper configurations enabled external access, allowing threat actors to infiltrate systems. The attack highlights the industrialization of cybercrime, where DDoS-as-a-service models complete with APIs, dashboards, and user interfaces are commoditized. Although the article does not specify direct financial or data losses, the exploitation of cloud infrastructure for large-scale DDoS operations poses reputational risks, operational disruptions, and potential financial liabilities for AWS customers whose instances were hijacked. The incident underscores the growing sophistication of cybercriminals in weaponizing misconfigured cloud services, with AWS EC2 serving as a primary target in this campaign. While no customer data breaches were reported, the abuse of Docker APIs for malicious purposes could erode trust in AWS’s security posture, particularly among enterprises relying on containerized workloads.
Amazon Web Services and Wiz: AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: AWS CodeBuild Misconfiguration Could Have Enabled Supply Chain Attacks In September 2025, Amazon Web Services (AWS) patched a critical misconfiguration in its AWS CodeBuild service that could have allowed attackers to take over the company’s own GitHub repositories including the AWS JavaScript SDK (aws-sdk-js-v3) potentially compromising millions of AWS environments. The vulnerability, dubbed CodeBreach by cloud security firm Wiz, was disclosed responsibly on August 25, 2025, and stemmed from a flaw in CI pipeline webhook filters. The issue centered on insecure regular expression (regex) patterns in CodeBuild’s webhook filters, which were designed to restrict build triggers to approved GitHub user IDs (ACTOR_ID). However, the filters lacked start (^) and end ($) anchors, allowing any user ID containing an approved sequence (e.g., *755743*) to bypass restrictions. Since GitHub assigns numeric IDs sequentially, Wiz researchers exploited this by generating bot accounts with predictable IDs (e.g., *226755743*) to match trusted maintainers’ IDs. Once an attacker triggered a build, they could leak GitHub admin tokens including a Personal Access Token (PAT) for the *aws-sdk-js-automation* user granting full repository control. This access could have enabled malicious code injection, pull request approvals, and secrets exfiltration, paving the way for supply chain attacks affecting AWS services and dependent applications. The misconfiguration impacted four AWS-managed repositories: - aws-sdk-js-v3 (JavaScript SDK) - aws-lc (cryptographic library) - amazon-corretto-crypto-provider - awslabs/open-data-registry AWS confirmed the flaw was project-specific and not a systemic CodeBuild issue. While no exploitation was detected, the company implemented credential rotations, enhanced build process protections, and stricter regex validation to prevent recurrence. The incident underscores the high-risk nature of CI/CD pipelines, where minor misconfigurations can lead to large-scale breaches. Similar vulnerabilities in GitHub Actions workflows such as pull_request_target misconfigurations have previously exposed projects from Google, Microsoft, and NVIDIA to remote code execution (RCE) and secrets theft. Security researchers emphasize that untrusted code should never trigger privileged pipelines without proper validation.
Ring
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Ring, a subsidiary of Amazon, faced a significant issue on May 28th when customers reported unauthorized devices logged into their accounts from various locations worldwide. While Ring attributed this to a backend update bug, customers remained skeptical, citing unknown devices and strange IP addresses. The company's explanation was met with disbelief, as users saw logins from countries they had never visited and devices they did not recognize. Additionally, some users reported live view activity during times when no one accessed the app and missed security alerts or multi-factor authentication prompts. Ring's lack of clarity and the persistence of the issue have raised concerns among customers about potential security breaches.
Amazon Web Services (AWS)
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: AWS’s Trusted Advisor tool, designed to alert customers if their S3 storage buckets are publicly exposed, was found to be vulnerable to manipulation by Fog Security researchers. By tweaking bucket policies or ACLs (Access Control Lists) and adding deny policies (e.g., blocking `s3:GetBucketPolicyStatus`, `s3:GetBucketPublicAccessBlock`, or `s3:GetBucketAcl`), attackers or misconfigured users could make buckets publicly accessible while preventing Trusted Advisor from detecting the exposure. This flaw allowed potential data exfiltration without triggering security warnings, posing risks of unauthorized access to sensitive data.The issue was privately reported to AWS, which implemented fixes in June 2025 to correct Trusted Advisor’s detection logic. However, concerns remain about inadequate user notifications, as some accounts (including the researcher’s test account) did not receive alerts, leaving them unaware of the need to recheck bucket permissions. AWS recommended enabling Block Public Access settings, retiring legacy ACLs, and using IAM policies for stricter control. Fog Security also released an open-source scanning tool to help users identify misconfigured S3 buckets.The vulnerability highlights risks of insider threats (malicious or accidental), credential compromise, and misconfigurations leading to unintended public exposure of data, potentially affecting customer trust, compliance, and data security.
Amazon Web Services (AWS)
Ransomware
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Cybersecurity researchers have warned about a new wave of ransomware attacks targeting AWS S3 buckets, a widely used cloud storage service. Unlike traditional ransomware that encrypts or deletes data, attackers are now abusing cloud-native encryption and key management services to render data permanently unrecoverable. By manipulating built-in AWS capabilities like key rotation and encryption controls, threat actors can lock organizations out of their own storage without triggering typical breach detection mechanisms.The shift reflects an evolution in ransomware tactics, as defenders strengthen perimeter defenses. Organizations relying on S3 buckets for critical data including customer records, financial documents, or proprietary assets face severe operational disruptions if encryption keys are compromised. Recovery may require paying ransoms or accepting irreversible data loss, particularly if backups are also encrypted or inaccessible. The attack method exploits trusted cloud functionalities, making it harder to distinguish malicious activity from legitimate administrative actions.Given AWS’s dominance in cloud infrastructure, successful exploits could cascade across dependent services, affecting businesses, governments, and end-users. The technique underscores the growing sophistication of ransomware groups in targeting cloud environments, where traditional security models may fall short.
Fortinet, Cisco, Amazon Web Services and JPMorgan Chase: Cloud storage buckets leaking secret data despite security improvements
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: Tenable Report Highlights Persistent Cloud Security Risks Despite Improvements A recent report by Tenable reveals both progress and ongoing vulnerabilities in cloud security, particularly around "toxic cloud trilogies" publicly exposed, critically vulnerable, and highly privileged cloud instances. Between October 2024 and March 2025, the number of organizations with at least one such instance on AWS or Google Cloud Platform (GCP) dropped from 38% to 29%, while those with five or more declined from 27% to 13%. Despite these improvements, Tenable warns that such exposures remain a pressing concern. The report also uncovered widespread exposure of sensitive data in cloud configurations. Researchers found that 54% of AWS Elastic Container Service (ECS) task definitions and 52% of Google CloudRun environment variables contained confidential information. Additionally, over a quarter of AWS users stored sensitive data in user data fields, with 3.5% of AWS EC2 instances holding secrets posing a significant risk if exploited. AWS hosted the highest proportion of sensitive data (16.7% of its buckets), compared to 6.5% for GCP and 3.2% for Microsoft Azure. While nearly 80% of AWS users have enabled critical identity-checking services, the findings underscore persistent misconfigurations and overconfidence in cloud security measures. The report, released at AWS re:Invent 2024 in Las Vegas, highlights the need for continued vigilance in securing cloud environments.
Amazon Web Services
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A vulnerability in Amazon Web Services' Application Load Balancer was discovered by security firm Miggo, which could potentially allow an attacker to bypass access controls and compromise web applications. This vulnerability was not due to a software flaw but stemmed from customers' configuration of the service, particularly the setup of authentication. Researchers identified over 15,000 web applications with potentially vulnerable configurations, though AWS disputes the figure and has contacted customers to recommend more secure setups. Exploiting this vulnerability would involve token forgery by the attacker to obtain unauthorized access to applications, escalating privileges within the system.
webXray
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: webXray, a tool designed to expose privacy violations on the internet, reveals how tech giants like Google and various websites track user data and browsing habits. Developed by former Google engineer Tim Libert, webXray analyzes web activity to identify which sites collect data, including sensitive information. Such tracking, often without clear user consent, can breach laws like HIPAA and GDPR, posing serious threats to individuals' privacy. The tool aims to empower regulators and attorneys to assess and rectify these violations, promoting a balanced digital ecosystem.
Amazon Web Services (AWS)
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence: - Attack which create outage - Attack which disrupt the payment process for a shop / e-commerce website - Attack by criminal hackers (indirectly via systemic exploitation) - Attack which stop a factory (if industrial IoT/operational tech was dependent on AWS) - Attack in which company data exposes (potential secondary breaches due to prolonged vulnerability)
Description: AWS, the world’s largest cloud computing platform (30% market share), suffered a major outage due to a malfunction at its Northern Virginia data center. The incident disrupted thousands of organizations globally, including banks (e.g., financial software like Xero), social media platforms (e.g., Snapchat), and other digital services. While AWS claimed to have resolved the underlying issue, residual disruptions persisted for some users. The outage exposed critical vulnerabilities in cloud reliance, triggering cascading failures across dependent systems. Businesses faced operational paralysis, financial losses from downtime, and reputational damage due to service unavailability. The incident underscored risks like single points of failure in centralized cloud infrastructure, vendor lock-in challenges, and geopolitical regulatory complexities. Previous outages by competitors (Microsoft Azure, Google Cloud) in 2024 further highlighted systemic fragility in the oligopolistic cloud market, where a minor technical error can cripple global digital ecosystems.
Whole Foods Market
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: Whole Foods Market chain Whole Foods Market Suffered Payment Card Breach. The security breach report states that thieves were able to obtain credit card details of patrons who made transactions at specific locations, such as full-service restaurants and taprooms inside some stores, without authorization. Whole Foods Market was notified of an incident in which payment card information used at select establishments like full-service restaurants and taprooms located within some locations was improperly accessed. The locations and total number of consumers affected by the attack remain unknown, as the company has not released any information about it.
Amazon Web Services (AWS)
Vulnerability
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: A critical vulnerability (CVE-2025-12779) in the Amazon WorkSpaces client for Linux (versions 2023.0–2024.8) exposes improper handling of authentication tokens, allowing local attackers to extract valid tokens left accessible by the client. This flaw enables unauthorized access to a victim’s private WorkSpaces session, granting control over their virtual environment. The risk is heightened in shared or multi-user Linux systems, where malicious actors could exploit the vulnerability to hijack sessions, access sensitive data, or perform actions on behalf of the compromised user. AWS has released a patch in version 2025.0 and urged immediate updates, but unpatched systems remain exposed to session takeover attacks. While no evidence of active exploitation has been reported, the vulnerability underscores the risks of inadequate token management in cloud-based desktop solutions, potentially leading to data breaches, privilege escalation, or lateral movement within corporate networks if abused in enterprise environments.
Twitch
Data Leak
Rankiteo Explanation
Attack with significant impact with internal employee data leaks.
Description: Amazon.com Inc’s live streaming e-sports platform Twitch was hit by a data breach. An anonymous hacker leaked Twitch data, including information related to the company’s source code, clients and unreleased games, according to Video Games Chronicle. The data was exposed due to an error in a Twitch server configuration change and was subsequently accessed by a malicious third party.
AWS: Edge Devices On AWS Infrastructure Targeted By Russian Cyberattacks In ‘Yearslong’ Campaign
Cyber Attack
Rankiteo Explanation
Attack threatening the economy of geographical region
Description: Russian Sandworm Hackers Target Misconfigured AWS Edge Devices in Multi-Year Campaign Amazon’s Threat Intelligence unit has confirmed that Russian state-sponsored hackers, identified as the Sandworm group (linked to Russia’s GRU military intelligence), conducted a yearslong cyberattack campaign in 2025 targeting misconfigured network edge devices hosted on AWS infrastructure. The attacks focused on energy sector organizations and businesses with cloud-hosted network infrastructure, primarily in Western nations, North America, and Europe. The hackers exploited exposed management interfaces on customer-owned edge devices such as enterprise routers, VPN concentrators, and remote access gateways to gain initial access, harvest credentials, and move laterally within victim networks. Amazon’s Chief Information Security Officer (CISO), CJ Moses, emphasized that the attacks were not due to AWS vulnerabilities but rather customer misconfigurations, which the threat actors leveraged to maintain persistent access while minimizing detection risks. This campaign marks an evolution in Sandworm’s tactics, shifting from zero-day and N-day exploits (used in prior years, including WatchGuard and Veeam vulnerabilities in 2021–2024) to low-effort targeting of misconfigured devices a strategy Moses described as a "concerning adaptation" that achieves the same objectives with reduced resource expenditure. The group’s operations have spanned at least five years, with a sustained focus on critical infrastructure, particularly the energy sector. Amazon has disrupted active threat operations and notified affected customers, though no AWS-specific patches are required. The company continues to collaborate with the security community to counter state-sponsored threats targeting cloud environments. Network analysis revealed that actor-controlled IP addresses established persistent connections to compromised EC2 instances running customer-managed network appliances.
Ring
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: A security flaw in Ring’s Neighbors app exposed the precise locations and home addresses of users who had posted to the app. It included the videos taken by Ring doorbells and security cameras and the bug made it possible to retrieve the location data of users who posted to the app. The bug retrieved the hidden data, including the user’s latitude and longitude and their home address, from Ring’s servers. The hackers also created tools to break into Ring accounts and over 1,500 user account passwords were found on the dark web.
Amazon
Data Leak
Rankiteo Explanation
Attack limited on finance or reputation
Description: Amazon had fired a number of employees after they shared customer email address and phone numbers with a third-party violating of their policies. No other information related to account was shared.
Ring
Data Leak
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: Amazon-owned home security camera company Ring fired employees for improperly accessing Ring users' video data. This data can be particularly sensitive though, as customers often put the cameras inside their home. Ring employees in Ukraine were given unrestricted access to videos from Ring cameras around the world.
Ring
Data Leak
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: 3,672 Ring camera owners' login information, including login emails, passwords, time zones, and the names people give to certain Ring cameras, was stolen. This enables a potential assailant to observe cameras in someone's home, which is a grave potential breach of privacy. A hacker might access a Ring customer's home address, phone number, and payment information, including the type of card they have, its last four numbers, and security code, using the login email and password. The nature of the leaked data, which contains a username, password, camera name, and time zone in a standardized format, shows that it was acquired from a company database.
TikTok and Amazon Europe Core: Breach Notifications in Europe Rise, While Fines Hold Steady
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: GDPR Enforcement Remains Strong as Breach Notifications Surge in Europe Data breach notifications across Europe rose by 20% over the past year, even as GDPR fines held steady at €1.2 billion ($1.4 billion) in 2025, according to a report by global law firm DLA Piper. The consistent enforcement levels signal sustained regulatory scrutiny, particularly in areas like AI, supply chain security, and international data transfers. Ireland remained the most active enforcer, issuing the largest fine of 2025 €530 million against TikTok for storing European users’ data on Chinese servers between July 2020 and November 2022 without adequate safeguards or transparency. This marked the first major GDPR penalty for data transfers to a non-U.S. country, expanding concerns beyond transatlantic data flows. Ireland also leads in cumulative fines since GDPR’s 2018 inception, with €4 billion in sanctions, followed by France (€1.1 billion) and Luxembourg (€747 million). Luxembourg’s largest fine €746 million against Amazon Europe Core in 2021 was upheld in March 2025 after the company’s appeal was dismissed. The case remains under seal due to local legal restrictions. Meanwhile, U.S. tech firms continued to face the highest penalties, reflecting persistent tensions over surveillance-driven business models. The European Commission proposed GDPR reforms in November 2024 to simplify compliance, including a unified breach reporting platform managed by ENISA and an extended notification deadline from 72 to 96 hours. The changes aim to reduce overlapping obligations under GDPR, the Network and Information Security Directive 2 (NIS2), and the Digital Operational Resilience Act (DORA), though debates over balancing efficiency with privacy rights are ongoing. In the U.K., enforcement under the post-Brexit Data (Use and Access) Act 2025 has drawn criticism. Over 70 civil society groups and experts urged Parliament to investigate the Information Commissioner’s Office (ICO) after it declined to probe the Ministry of Defense’s 2022 Afghan data breach, which exposed 19,000 individuals fleeing the Taliban. The U.K. government later imposed a super injunction to block public reporting. The new DUA Act, effective June 2025, introduces structural reforms to the ICO, including enhanced investigative powers and transparency requirements.
Amazon Web Services (AWS)
Data Leak
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: An Amazon S3 bucket containing scans of about 119,000 US and foreign citizens' IDs and personal information was found by researchers. The firm that owns the data, Bongo International, is owned by FedEx and supports North American retailers' and brands' online sales to customers abroad. In the AWS bucket were over 112,000 files, unencrypted data, and customer ID scans from a wide range of nations, including the US, Mexico, Canada, many EU nations, Saudi Arabia, Kuwait, Japan, Malaysia, China, and Australia. FedEx did not remove the S3 bucket until its presence was made public, despite Kromtech's best efforts to get in touch with them.
Whole Foods Market Services, Inc.
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The California Office of the Attorney General disclosed a data breach at Whole Foods Market Services, Inc. in October 2017. The incident involved unauthorized access to payment card information, exposing transactions conducted between March 10, 2017, and September 28, 2017. The breach was detected on September 23, 2017, though the exact number of affected individuals was not specified. The compromised data included customer payment details, potentially enabling fraudulent activity. While the full scope of the breach remains unclear, the exposure of financial information poses risks to customer trust and financial security. The incident highlights vulnerabilities in payment processing systems, emphasizing the need for robust cybersecurity measures to prevent similar breaches in the future.
Amazon
Cyber Attack
Rankiteo Explanation
Attack limited on finance or reputation
Description: Amazon’s customer service representative was tricked into disclosing Eric Springer, a user’s personal information by an attacker who used social engineering techniques. The attack initiated through the mail ended up in the attacker getting the credit card details along with the address and other details. The incident got all highlighted on the internet and people on the web demanded social engineering training to be given to employees to prevent any such incidents in the future.
Amazon Business Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Amazon Business
Incidents vs Retail Industry Average (This Year)
No incidents recorded for Amazon Business in 2026.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Amazon Business in 2026.
Incident Types Amazon Business vs Retail Industry Avg (This Year)
No incidents recorded for Amazon Business in 2026.
Incident History — Amazon Business (X = Date, Y = Severity)
Amazon Business cyber incidents detection timeline including parent company and subsidiaries
Amazon Business Company Subsidiaries
Think there’s a better way to buy for business? So do we. That’s why Amazon Business is changing the world of procurement. We simplify the purchasing process to make it easier for our customers to get the products they need. We solve for our customers’ unmet and undiscovered needs — continuously expanding our selection and adding relevant new tools and features. We’re right for any organization at any stage — starting, growing, transforming. And it’s our instinct to invent — we purposefully question what others don’t, creating unexpectedly better ways of getting things done. This is the official global LinkedIn page for Amazon Business. Follow us for updates.
Loading...
Amazon Business Similar Companies
Williams-Sonoma, Inc.
Founded in 1956, Williams-Sonoma, Inc. is the premier specialty retailer of high-quality products for the home. Our family of brands includes Williams Sonoma, Pottery Barn, Pottery Barn Kids, PBteen, West Elm, Williams-Sonoma Home, Rejuvenation, and Mark and Graham. These brands are among the best
ALDI USA
Thank you for your interest in ALDI. We are aware of attempts to deceive applicants through fraudulent websites and email domains. Please know, ALDI recruiters will only contact you from an @aldi.us email address. As one of America’s favorite grocers, we believe in offering value and quality in
Esselunga
Esselunga è una delle principali catene italiane nel settore della grande distribuzione. La sua storia inizia nel 1957 con l'apertura a Milano del primo supermercato in Italia; oggi, attraverso una rete di oltre 180 negozi, il gruppo è presente in Lombardia, Toscana, Emilia Romagna, Piemonte, Veneto
Sobeys
As one of only two national grocery retailers in Canada, Sobeys Inc. serves the food shopping needs of Canadians with more than 1,500 stores in 10 provinces with retail banners that include Sobeys, Safeway, IGA, Foodland, FreshCo, Price Chopper, Thrifty Foods and Lawtons Drugs, as well as more than
Shoppers Stop
Shoppers Stop is one of the pioneers of modern retailing in India. Launched in 1991, Shoppers Stop was the first department store in the country that revolutionized the way modern India shopped. Today, with 81 stores across 37 cities and a growing online presence at www.shoppersstop.com, Shoppers St
JYSK
JYSK is an international home furnishing retailer with Scandinavian roots that makes it easy to furnish every room in any home and garden. JYSK delivers a great Scandinavian offer for everyone within sleeping and living. We are a global retail chain of stores and web shops, and part of the family-
O'Reilly Auto Parts
O’Reilly Auto Parts started as a single store and has grown into a leading retailer in the automotive aftermarket industry with more than 6,100 locations and counting. With more than 94,000 team members, O’Reilly has expanded into 48 states, Puerto Rico, Mexico, and Canada. O’Reilly, headquartered
Pick n Pay
Welcome to Pick n Pay, where family values and customer-centricity converge to create an unparalleled shopping experience. Since 1967, when the visionary Raymond Ackerman championed the cause of consumers by acquiring the first few stores, the Ackerman family's dedication has steered our journey of
Post Office Ltd
We’ve come a long way since it all started over 380 years ago. We’ve built up a network of 11,500 branches across the country. To give you a sense of how big that is, we’ve got more branches than the four biggest banks in the UK put together. Or put simply, we’re the largest retail network in the
.png)
Amazon Business CyberSecurity News
January 09, 2026 03:11 PM
Amazon Business Enhances Prime Membership with Key Tools for SMBs
Discover how Amazon Business is elevating Prime Membership with essential tools tailored for small and medium-sized businesses (SMBs).
December 28, 2025 11:35 AM
Amazon adds $1,000 annual value to Business Prime with QuickBooks, CrowdStrike benefits
Amazon Business expands membership benefits with financial software, cybersecurity protection, and HR tools for small businesses across...
December 28, 2025 08:00 AM
"Threat actors have a goal in mind and they'll use whatever path they see to get that goal" - AWS CISO tells us how your company can stay safe, by being more like Amazon
With AI now a common presence in businesses everywhere, a need for smarter and more intuitive cybersecurity is also paramount,...
December 19, 2025 08:00 AM
Amazon Business: Helping Firms Save Time and Money
Amazon Business has announced a new membership programme, helping small and midsize firm with finance, human resources and cybersecurity...
December 18, 2025 08:00 AM
Amazon Extends Payroll and Cybersecurity Help to Small Businesses
Get the Full Story ... The tech giant announced Thursday (Dec. 18) that these small and medium-sized businesses (SMBs) can now access benefits...
December 18, 2025 08:00 AM
Amazon Business Prime Offers Small and Midsize Businesses Even More Value with New Benefits from Intuit QuickBooks, CrowdStrike, and Gusto
Business Prime customers have access to exclusive benefits with Intuit QuickBooks, CrowdStrike, and Gusto to support their financial...
December 18, 2025 08:00 AM
Whittier Daily News
The Whittier Daily News is the local news source for Whittier, Montebello, La Habra, Pico Rivera and more, providing breaking news, sports,...
December 17, 2025 08:00 AM
How Amazon’s CSO defends against efforts by North Korean IT workers to infiltrate his company
Steve Schmidt, the chief security officer at Amazon, says his team has identified and blocked more than 1,800 attempts by North Korea to...
December 08, 2025 08:00 AM
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gains
Agentic AI security tools have huge potential for cybersecurity teams, and workers at Amazon are already seeing big improvements.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Amazon Business CyberSecurity History Information
Official Website of Amazon Business
The official website of Amazon Business is https://www.amazonbusiness.com/linkedin.
Amazon Business’s AI-Generated Cybersecurity Score
According to Rankiteo, Amazon Business’s AI-generated cybersecurity score is 794, reflecting their Fair security posture.
How many security badges does Amazon Business’ have ?
According to Rankiteo, Amazon Business currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Amazon Business been affected by any supply chain cyber incidents ?
According to Rankiteo, Amazon Business has been affected by multiple supply chain cyber incidents. The affected supply chain sources and their corresponding incident IDs are:
- Amazon (Incident ID: LASAMA1769009064)
- LinkedIn (Incident ID: LINAWS1766995316)
- Wiz (Incident ID: AMAWIZ1768515615)
- Fortinet (Incident ID: FORCISAMAJPM1767748297)
Does Amazon Business have SOC 2 Type 1 certification ?
According to Rankiteo, Amazon Business is not certified under SOC 2 Type 1.
Does Amazon Business have SOC 2 Type 2 certification ?
According to Rankiteo, Amazon Business does not hold a SOC 2 Type 2 certification.
Does Amazon Business comply with GDPR ?
According to Rankiteo, Amazon Business is not listed as GDPR compliant.
Does Amazon Business have PCI DSS certification ?
According to Rankiteo, Amazon Business does not currently maintain PCI DSS compliance.
Does Amazon Business comply with HIPAA ?
According to Rankiteo, Amazon Business is not compliant with HIPAA regulations.
Does Amazon Business have ISO 27001 certification ?
According to Rankiteo,Amazon Business is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Amazon Business
Amazon Business operates primarily in the Retail industry.
Number of Employees at Amazon Business
Amazon Business employs approximately 14,873 people worldwide.
Subsidiaries Owned by Amazon Business
Amazon Business presently has no subsidiaries across any sectors.
Amazon Business’s LinkedIn Followers
Amazon Business’s official LinkedIn profile has approximately 172,234 followers.
NAICS Classification of Amazon Business
Amazon Business is classified under the NAICS code 43, which corresponds to Retail Trade.
Amazon Business’s Presence on Crunchbase
No, Amazon Business does not have a profile on Crunchbase.
Amazon Business’s Presence on LinkedIn
Yes, Amazon Business maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/amazon-business.
Cybersecurity Incidents Involving Amazon Business
As of January 25, 2026, Rankiteo reports that Amazon Business has experienced 26 cybersecurity incidents.
Number of Peer and Competitor Companies
Amazon Business has an estimated 15,595 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Amazon Business ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Ransomware, Vulnerability, Data Leak and Breach.
What was the total financial impact of these incidents on Amazon Business ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $530 million.
How does Amazon Business detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with public demand for social engineering training, and remediation measures with fired employees, and containment measures with removed the s3 bucket, and remediation measures with ring is deploying a fix, and communication strategy with ring posted on facebook and updated its status page, and and third party assistance with fog security (researchers who discovered the issue), and containment measures with aws implemented fixes to trusted advisor in june 2025 to correctly detect misconfigured buckets, containment measures with emails sent to customers notifying them of the issue and fixes, and remediation measures with customers advised to enable block public access settings at account and bucket levels, remediation measures with switch from acls to iam policies recommended, remediation measures with manual review of s3 bucket configurations urged, and recovery measures with aws trusted advisor now displays correct bucket status, recovery measures with open-source tool released by fog security to scan s3 resources for access issues, and communication strategy with aws sent emails to customers (though coverage may be incomplete), communication strategy with public disclosure via cybersecurity news outlets (e.g., help net security), and communication strategy with public disclosure via california office of the attorney general, and third party assistance with darktrace (detection and analysis), and remediation measures with securing exposed docker apis, remediation measures with disabling unnecessary external access to docker daemons, remediation measures with reviewing aws ec2 configurations, and enhanced monitoring with darktrace honeypots for detection, and incident response plan activated with yes (aws acknowledged increased error rates and latencies; detailed post-event summary pending), and containment measures with resolved dns resolution issues, containment measures with addressed impairments in internal subsystem for network load balancer health monitoring, and remediation measures with cleared backlog of internet traffic requests, remediation measures with restored services to normal operations, and recovery measures with full service restoration after ~16 hours, and communication strategy with public acknowledgment via aws status website; spokeswoman provided updates to media (no detailed timeline for post-event summary), and incident response plan activated with yes (aws reported fixing the underlying issue), and containment measures with technical fix applied to data center malfunction, and and containment measures with urgent security bulletin (aws-2025-025), containment measures with end-of-support notification for affected versions, and remediation measures with upgrade to amazon workspaces client for linux version 2025.0 or newer, and communication strategy with security bulletin, communication strategy with direct outreach via [email protected], communication strategy with public advisory, and remediation measures with hardening s3 bucket configurations, remediation measures with enhancing encryption key management, remediation measures with monitoring for abnormal key rotation activities, and enhanced monitoring with cloud-native security tools for encryption/key management anomalies, and containment measures with immediate rotation of iam credentials, monitoring for unusual activity, and remediation measures with implementation of multifactor authentication (mfa), security audits, engagement with aws support, and enhanced monitoring with amazon guardduty for threat detection, and third party assistance with unit 42 (palo alto networks), and remediation measures with proactive cloud security policies, encryption standards, regular security audits, isolation of ai workloads, and network segmentation with recommended as part of holistic security approach, and enhanced monitoring with recommended for ai workloads and cloud environments, and containment measures with aws trust & safety abuse reporting process, disabling prohibited content, and remediation measures with layered defenses, enhanced monitoring for unusual traffic patterns/file types, additional verification procedures for resume submissions, and enhanced monitoring with recommended (vigilance for unusual traffic patterns or file types), and enhanced monitoring with enabled identity-checking service (80%+ of aws users), and incident response plan activated with yes, and third party assistance with wiz (cloud security company), and containment measures with remediation of misconfigured webhook filters, credential rotations, and remediation measures with anchoring regex patterns, enabling pull request comment approval build gate, using codebuild-hosted runners, limiting pat permissions, and recovery measures with securing build processes containing github tokens or credentials in memory, and communication strategy with public advisory released by aws and wiz, and containment measures with disruption of active threat operations, customer notifications, and communication strategy with public disclosure by amazon's threat intelligence unit, and third party assistance with yes (partners to dismantle malicious infrastructure), and containment measures with working to dismantle phishing infrastructure, urging users to delete suspicious emails, and remediation measures with reinforcing phishing awareness, blocking identified sender addresses, and communication strategy with advising users to report suspicious emails to [email protected], clarifying legitimate communication practices..
Incident Details
Can you provide details on each incident ?
Title: Amazon Customer Service Social Engineering Incident
Description: An attacker used social engineering techniques to trick an Amazon customer service representative into disclosing personal information of a user named Eric Springer. The attacker obtained credit card details, address, and other personal information.
Type: Data Breach
Attack Vector: Social Engineering
Vulnerability Exploited: Human Error
Threat Actor: Unknown
Motivation: Theft of Personal Information
Title: Ring Neighbors App Security Flaw
Description: A security flaw in Ring’s Neighbors app exposed the precise locations and home addresses of users who had posted to the app. It included the videos taken by Ring doorbells and security cameras and the bug made it possible to retrieve the location data of users who posted to the app. The bug retrieved the hidden data, including the user’s latitude and longitude and their home address, from Ring’s servers. The hackers also created tools to break into Ring accounts and over 1,500 user account passwords were found on the dark web.
Type: Data Breach
Attack Vector: Exploitation of Software Vulnerability
Vulnerability Exploited: Security flaw in Neighbors app
Threat Actor: Hackers
Motivation: Data Theft
Title: Ring Employees Fired for Improper Access to User Video Data
Description: Amazon-owned home security camera company Ring fired employees for improperly accessing Ring users' video data. This data can be particularly sensitive as customers often put the cameras inside their home. Ring employees in Ukraine were given unrestricted access to videos from Ring cameras around the world.
Type: Data Breach
Attack Vector: Insider Threat
Vulnerability Exploited: Improper Access Controls
Threat Actor: Ring Employees
Motivation: Unauthorized Access
Title: Amazon Employee Data Breach
Description: Amazon had fired a number of employees after they shared customer email addresses and phone numbers with a third-party in violation of their policies. No other information related to account was shared.
Type: Data Breach
Attack Vector: Insider Threat
Vulnerability Exploited: Policy Violation
Threat Actor: Employees
Motivation: Unknown
Title: Twitch Data Breach
Description: An anonymous hacker leaked Twitch data, including information related to the company’s source code, clients, and unreleased games.
Type: Data Breach
Attack Vector: Configuration Error
Vulnerability Exploited: Error in server configuration change
Threat Actor: Anonymous Hacker
Title: Ring Camera Data Breach
Description: 3,672 Ring camera owners' login information, including login emails, passwords, time zones, and the names people give to certain Ring cameras, was stolen. This enables a potential assailant to observe cameras in someone's home, which is a grave potential breach of privacy. A hacker might access a Ring customer's home address, phone number, and payment information, including the type of card they have, its last four numbers, and security code, using the login email and password.
Type: Data Breach
Attack Vector: Unauthorized Access
Threat Actor: Unknown
Motivation: Data Theft
Title: Whole Foods Market Payment Card Breach
Description: Whole Foods Market chain suffered a payment card breach where thieves obtained credit card details of patrons who made transactions at specific locations, such as full-service restaurants and taprooms inside some stores, without authorization.
Type: Data Breach
Attack Vector: Payment Card Systems
Threat Actor: Thieves
Motivation: Financial Gain
Title: Data Exposure of Bongo International's S3 Bucket
Description: An Amazon S3 bucket containing scans of about 119,000 US and foreign citizens' IDs and personal information was found by researchers. The firm that owns the data, Bongo International, is owned by FedEx and supports North American retailers' and brands' online sales to customers abroad. In the AWS bucket were over 112,000 files, unencrypted data, and customer ID scans from a wide range of nations, including the US, Mexico, Canada, many EU nations, Saudi Arabia, Kuwait, Japan, Malaysia, China, and Australia. FedEx did not remove the S3 bucket until its presence was made public, despite Kromtech's best efforts to get in touch with them.
Type: Data Exposure
Attack Vector: Misconfigured S3 Bucket
Vulnerability Exploited: Misconfiguration
Title: Privacy Violations Exposed by webXray
Description: webXray, a tool designed to expose privacy violations on the internet, reveals how tech giants like Google and various websites track user data and browsing habits. Developed by former Google engineer Tim Libert, webXray analyzes web activity to identify which sites collect data, including sensitive information. Such tracking, often without clear user consent, can breach laws like HIPAA and GDPR, posing serious threats to individuals' privacy. The tool aims to empower regulators and attorneys to assess and rectify these violations, promoting a balanced digital ecosystem.
Type: Privacy Violation
Attack Vector: Data Tracking
Vulnerability Exploited: Lack of clear user consent
Motivation: Data Collection
Title: AWS Application Load Balancer Vulnerability
Description: A vulnerability in Amazon Web Services' Application Load Balancer was discovered by security firm Miggo, which could potentially allow an attacker to bypass access controls and compromise web applications. This vulnerability was not due to a software flaw but stemmed from customers' configuration of the service, particularly the setup of authentication. Researchers identified over 15,000 web applications with potentially vulnerable configurations, though AWS disputes the figure and has contacted customers to recommend more secure setups. Exploiting this vulnerability would involve token forgery by the attacker to obtain unauthorized access to applications, escalating privileges within the system.
Type: Misconfiguration
Attack Vector: Token Forgery
Vulnerability Exploited: Misconfiguration of AWS Application Load Balancer Authentication
Motivation: Unauthorized Access, Privilege Escalation
Title: Ring Backend Update Bug Causes Unauthorized Device Logins
Description: Ring customers reported seeing unusual devices logged into their accounts from various locations worldwide, leading them to believe their accounts had been hacked. Ring attributed this to a backend update bug.
Date Detected: 2023-05-28
Type: Bug/Exploit
Attack Vector: Backend Update Bug
Vulnerability Exploited: Backend Update Bug
Title: AWS Trusted Advisor Misconfiguration Vulnerability Allows Public S3 Bucket Exposure Without Detection
Description: Fog Security researchers discovered a vulnerability in AWS’s Trusted Advisor tool, which failed to detect publicly exposed S3 storage buckets due to specific bucket policy misconfigurations. Attackers or malicious insiders could exploit this to make S3 buckets publicly accessible without triggering Trusted Advisor warnings. The issue was privately reported to AWS and fixed in June 2025, but concerns remain about inadequate customer notifications and potential lingering misconfigurations.
Date Resolved: 2025-06
Type: Misconfiguration
Attack Vector: Insider Threat (Malicious or Accidental)Compromised AWS CredentialsPolicy Manipulation
Vulnerability Exploited: AWS Trusted Advisor Bypass via S3 Bucket Policy Misconfiguration (Deny Rules for `s3:GetBucketPolicyStatus`, `s3:GetBucketPublicAccessBlock`, `s3:GetBucketAcl`)
Threat Actor: Malicious Insiders (e.g., disgruntled employees)External Attackers with Compromised CredentialsAccidental Misconfiguration by Legitimate Users
Motivation: Data ExfiltrationUnauthorized Data AccessCovert PersistenceAccidental Exposure
Title: Whole Foods Market Data Breach (2017)
Description: The California Office of the Attorney General reported a data breach involving Whole Foods Market Services, Inc. on October 20, 2017. The breach involved unauthorized access to payment card information and was discovered on September 23, 2017. It affected transactions conducted between March 10, 2017, and September 28, 2017. The number of individuals affected remains unknown.
Date Detected: 2017-09-23
Date Publicly Disclosed: 2017-10-20
Type: Data Breach
Title: ShadowV2 DDoS Campaign Exploiting Exposed Docker APIs on AWS EC2
Description: Darktrace researchers discovered that the ShadowV2 threat group is exploiting misconfigured, exposed Docker APIs on AWS EC2 instances to launch DDoS attacks. The attackers use the Python Docker SDK to interact with exposed Docker daemons, building malicious containers directly on victim machines rather than importing prebuilt images. This approach may reduce forensic traces. The campaign highlights the industrialization of cybercrime, with DDoS attacks being treated as a business service by threat actors.
Type: DDoS Attack
Attack Vector: Exposed Docker APIMisconfigured AWS EC2 InstancesPython Docker SDK
Vulnerability Exploited: Misconfigured Docker Daemon (Exposed to Internet)Improper Access Controls on AWS EC2
Threat Actor: ShadowV2
Motivation: Financial GainDisruptionCybercrime-as-a-Service
Title: AWS Global Outage Due to DNS Resolution Issues (October 20, 2024)
Description: Amazon Web Services (AWS) experienced a 16-hour global outage on October 20, 2024, attributed to DNS resolution issues in the US-East-1 region. The outage disrupted hundreds of online services globally, including Zoom, Canva, Roblox, Fortnite, Snapchat, Reddit, and banking/airline services. The incident was resolved after addressing DNS issues, internal subsystem impairments (network load balancer health monitoring), and a backlog of internet traffic requests. AWS has not yet disclosed the root cause (e.g., hardware error, misconfiguration, human error, or cyber attack), but experts likened its impact to a coordinated cyber attack due to its scale and reliance on legacy technologies like DNS.
Date Detected: 2024-10-20T09:00:00Z
Date Publicly Disclosed: 2024-10-20
Date Resolved: 2024-10-21T01:00:00Z
Type: Service Disruption
Title: Major AWS Outage Impacts Thousands of Organizations Globally
Description: AWS (Amazon Web Services), the world’s largest cloud computing platform, experienced a major outage caused by a malfunction at one of its data centers in Northern Virginia, USA. The incident disrupted services for thousands of organizations, including banks, financial software platforms like Xero, and social media platforms like Snapchat. While AWS reported fixing the underlying issue, some users continued to experience service disruptions. The outage underscores the vulnerabilities of heavy reliance on cloud computing and the risks of single points of failure in centralized systems.
Type: Service Disruption
Vulnerability Exploited: Malfunction at AWS data center (likely a configuration error)
Title: Critical Authentication Token Exposure in Amazon WorkSpaces Client for Linux (CVE-2025-12779)
Description: A recently disclosed vulnerability in the Amazon WorkSpaces client for Linux (CVE-2025-12779) exposes a critical security flaw that could allow attackers to gain unauthorized access to user environments due to improper handling of authentication tokens. The issue affects versions 2023.0 through 2024.8, where local users on the same machine could extract valid authentication tokens left accessible by the client, potentially gaining control over another user’s private virtual WorkSpace session. AWS has addressed the issue in version 2025.0 and urges immediate updates.
Date Publicly Disclosed: 2025-11-05
Type: Vulnerability
Attack Vector: LocalImproper Authentication Token Handling
Vulnerability Exploited: CVE-2025-12779
Title: Ransomware Operators Targeting AWS S3 Buckets with Cloud-Native Encryption Abuse
Description: Cybersecurity researchers have warned about ransomware operators shifting focus from traditional on-premises targets to cloud storage services, particularly AWS S3 buckets. A Trend Micro report highlights a new wave of attacks where attackers abuse cloud-native encryption and key management services (e.g., encryption management, key rotation) to render data unrecoverable, rather than merely stealing or deleting it. This evolution reflects attackers adapting to stronger perimeter protections adopted by organizations.
Type: ransomware
Attack Vector: abuse of cloud-native encryption serviceskey management service manipulationmisconfigured S3 buckets
Vulnerability Exploited: misconfigured AWS S3 bucket permissionsweak encryption key management practicesinsufficient cloud-native security controls
Motivation: financial gain (ransom)disruption of operations
Title: Cryptocurrency Mining Campaign Targeting AWS Customers via Compromised IAM Credentials
Description: A cryptocurrency mining campaign exploits compromised AWS Identity and Access Management (IAM) credentials to hijack AWS environments for unauthorized cryptocurrency mining. The campaign employs novel persistence techniques, making detection and remediation challenging. Amazon GuardDuty first identified the threat on November 2, 2025, highlighting vulnerabilities in cloud security and the critical need for robust IAM protocols.
Date Detected: 2025-11-02
Type: Cryptocurrency Mining
Attack Vector: Compromised IAM credentials
Vulnerability Exploited: Weak IAM credential security, lack of multifactor authentication (MFA)
Motivation: Financial gain through unauthorized cryptocurrency mining
Title: Increasing Attacks on AI Systems via Cloud Infrastructure Vulnerabilities
Description: Recent findings from Unit 42 (Palo Alto Networks) reveal that every organization has faced at least one attack targeting their AI systems over the past year. The research highlights that AI security is fundamentally a cloud infrastructure issue, requiring a systematic and proactive approach rather than reactive measures. The survey included over 2,800 participants from 10 countries, emphasizing the global scale of the threat.
Date Publicly Disclosed: 2025-10-17
Type: AI System Targeting, Cloud Infrastructure Exploitation
Attack Vector: Cloud infrastructure vulnerabilities, unauthorized access, data pipeline exploitation
Vulnerability Exploited: Weaknesses in cloud security, insufficient encryption, inadequate identity management, lack of network segmentation
Motivation: Data theft, operational disruption, adversarial attacks on AI models
Title: FIN6 Skeleton Spider Campaign Targeting HR Professionals via Fake Job Applications
Description: The financially motivated cybercrime group FIN6, also known as Skeleton Spider, is targeting human resources professionals with an elaborate social engineering scheme that uses fake job applications to deliver malware. The campaign involves attackers posing as job seekers on professional platforms like LinkedIn and Indeed, building rapport with recruiters before following up with phishing emails containing malicious resume links. The fake resume sites employ sophisticated traffic filtering to deliver the More_eggs backdoor malware, which enables credential theft, system access, and follow-on attacks.
Type: Phishing/Social Engineering, Malware Delivery
Attack Vector: Phishing emails with malicious links, fake resume portfolios hosted on AWS
Vulnerability Exploited: Human psychology (trust in job applications), abuse of trusted cloud infrastructure (AWS EC2/S3)
Threat Actor: FIN6 (Skeleton Spider)
Motivation: Financial gain, credential theft, follow-on attacks (e.g., ransomware deployment)
Title: Toxic Cloud Trilogies: Publicly Exposed, Critically Vulnerable, and Highly Privileged Cloud Buckets
Description: Tenable’s report highlights serious risks facing cloud storage users, including publicly exposed, critically vulnerable, and highly privileged cloud buckets (termed 'toxic cloud trilogies'). Researchers found sensitive data leaks in AWS and GCP cloud buckets, including Elastic Container Service task definitions, CloudRun environment variables, and user data. Despite improvements, 29% of organizations still had at least one toxic cloud trilogy, with 7% having 10 or more. AWS hosted more sensitive data (16.7%) than GCP (6.5%) or Azure (3.2%).
Date Publicly Disclosed: 2025-03-05
Type: Data Exposure
Attack Vector: Misconfigured Cloud Storage
Vulnerability Exploited: Publicly exposed cloud buckets with critical vulnerabilities and highly privileged data
Title: CodeBreach: AWS CodeBuild Misconfiguration Could Lead to Platform-Wide Compromise
Description: A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk. The vulnerability, codenamed CodeBreach, was discovered by cloud security company Wiz and could have enabled attackers to inject malicious code to launch a platform-wide compromise, affecting applications depending on the SDK and the AWS Console itself.
Date Detected: 2025-08-25
Date Publicly Disclosed: 2025-09-01
Date Resolved: 2025-09-01
Type: Supply Chain Attack
Attack Vector: Misconfigured CI/CD Pipeline
Vulnerability Exploited: Insufficient regex anchoring in AWS CodeBuild webhook filters
Title: Russian Sandworm Hackers Target Misconfigured AWS Edge Devices in Multi-Year Campaign
Description: Russian state-sponsored hackers (Sandworm group) conducted a yearslong cyberattack campaign in 2025 targeting misconfigured network edge devices hosted on AWS infrastructure. The attacks focused on energy sector organizations and businesses with cloud-hosted network infrastructure, primarily in Western nations, North America, and Europe. The hackers exploited exposed management interfaces on customer-owned edge devices to gain initial access, harvest credentials, and move laterally within victim networks.
Date Detected: 2025
Type: Cyber Espionage, Lateral Movement, Credential Harvesting
Attack Vector: Exposed management interfaces on misconfigured network edge devices
Vulnerability Exploited: Customer misconfigurations (not AWS vulnerabilities)
Threat Actor: Sandworm (GRU-linked, Russian state-sponsored)
Motivation: Cyber espionage, targeting critical infrastructure
Title: Critical Phishing Campaign Targets LastPass Users in Sophisticated Attack
Description: A high-severity phishing campaign targeting LastPass users began on January 19, 2026, with attackers impersonating the company’s support team to steal master passwords. The fraudulent emails falsely claim an urgent need for vault backups within 24 hours, leveraging social engineering to exploit user trust. LastPass confirmed it never requests master passwords or demands immediate vault backups via email. The campaign was launched over a U.S. holiday weekend to exploit reduced security staffing and slower incident response times. The phishing infrastructure uses compromised AWS S3 buckets and a spoofed domain mimicking LastPass’s services. LastPass is working with third-party partners to dismantle the malicious infrastructure and urges users to delete suspicious emails and report them to [email protected].
Date Detected: 2026-01-19
Type: Phishing
Attack Vector: Email
Vulnerability Exploited: Social Engineering, Trust Exploitation
Motivation: Credential Harvesting
Title: TikTok GDPR Violation for Data Transfers to China
Description: TikTok was fined €530 million by Ireland's Data Protection Commission for storing European users’ data on Chinese servers between July 2020 and November 2022 without adequate safeguards or transparency. This marked the first major GDPR penalty for data transfers to a non-U.S. country.
Date Publicly Disclosed: 2025
Type: Data Breach
Vulnerability Exploited: Inadequate safeguards for international data transfers
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Cyber Attack.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Email, Security flaw in Neighbors app, Exposed Docker API on AWS EC2, misconfigured S3 bucketscompromised cloud credentials, Compromised IAM credentials, LinkedIn, Indeed (professional networking platforms), Predictable GitHub actor ID via bot user registration, Exposed management interfaces on misconfigured edge devices and Phishing email.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach AMA0417522
Data Compromised: Credit card details, Address, Other personal information
Brand Reputation Impact: High
Identity Theft Risk: High
Payment Information Risk: High
Incident : Data Breach RIN01518622
Data Compromised: Home addresses, Latitude and longitude, User account passwords
Systems Affected: Ring Neighbors app
Incident : Data Breach RIN211261222
Data Compromised: Video Data
Systems Affected: Ring Security Cameras
Incident : Data Breach AMA21461222
Data Compromised: Email addresses, Phone numbers
Incident : Data Breach TWI19174123
Data Compromised: Source code, Clients information, Unreleased games
Incident : Data Breach RIN2178523
Data Compromised: Login emails, Passwords, Time zones, Camera names, Home address, Phone number, Payment information
Systems Affected: Ring Cameras
Identity Theft Risk: High
Payment Information Risk: High
Incident : Data Breach WHO04111223
Data Compromised: Payment card information
Systems Affected: Payment Card Systems
Payment Information Risk: High
Incident : Data Exposure AMA350181223
Data Compromised: Id scans, Personal information
Systems Affected: Amazon S3 Bucket
Identity Theft Risk: High
Incident : Privacy Violation AMA000072524
Data Compromised: User data and browsing habits
Brand Reputation Impact: Negative
Legal Liabilities: Potential breach of HIPAA and GDPR
Incident : Bug/Exploit RIN709072225
Systems Affected: Ring Accounts
Customer Complaints: ['Users reported unknown devices and strange IP addresses', 'Users reported live view activity without household access', 'Users reported not receiving security alerts or MFA prompts']
Incident : Misconfiguration AMA505082225
Data Compromised: Potential exposure of sensitive data in publicly accessible S3 buckets (scope depends on bucket contents)
Systems Affected: AWS S3 BucketsTrusted Advisor Security Checks
Operational Impact: False sense of security due to undetected public bucket exposure; potential for unauthorized data access or exfiltration
Brand Reputation Impact: Risk of reputational damage for AWS and affected customers if data breaches occur due to undetected exposures
Legal Liabilities: Potential compliance violations (e.g., GDPR, CCPA) if sensitive data is exposed
Identity Theft Risk: High (if PII is stored in affected buckets)
Payment Information Risk: High (if payment data is stored in affected buckets)
Incident : Data Breach WHO631090125
Data Compromised: Payment card information
Identity Theft Risk: Potential (due to payment card exposure)
Payment Information Risk: High
Incident : DDoS Attack AMA4092640092325
Systems Affected: AWS EC2 Instances with Exposed Docker APIsVictim Containers
Operational Impact: Potential Service Disruption from DDoSResource Hijacking for Attack Infrastructure
Brand Reputation Impact: Potential Reputation Damage for Affected OrganizationsHighlighting Cloud Security Gaps
Incident : Service Disruption AMA0232202102125
Systems Affected: DNS infrastructureNetwork load balancersMultiple AWS services in US-East-1
Downtime: 16 hours (from ~2024-10-20T09:00:00Z to ~2024-10-21T01:00:00Z)
Operational Impact: Severe disruption to global online services (e.g., banking, airlines, gaming, social media, productivity tools)
Customer Complaints: Thousands of reports on Downdetector (Singapore and globally)
Brand Reputation Impact: Highlighted overreliance on AWS and legacy DNS technologies; compared to CrowdStrike (July 2024) and Equinix (October 2023) outages
Incident : Service Disruption AMA1902119102225
Systems Affected: Cloud servicesBanking platformsFinancial software (e.g., Xero)Social media (e.g., Snapchat)
Downtime: Prolonged (exact duration unspecified; some disruptions persisted after initial fix)
Operational Impact: Severe (domino effect paralyzing vast segments of the internet)
Customer Complaints: Likely high (widespread service disruptions reported)
Brand Reputation Impact: Moderate (highlights vulnerabilities in cloud reliance)
Incident : Vulnerability AMA0162101110725
Data Compromised: Authentication tokens, Potential workspace session access
Systems Affected: Amazon WorkSpaces client for Linux (versions 2023.0–2024.8)
Operational Impact: Unauthorized Access to Virtual WorkSpacesRisk in Shared/Multi-User Environments
Brand Reputation Impact: Potential Erosion of Trust in AWS WorkSpaces Security
Identity Theft Risk: ['Session Hijacking Risk']
Incident : ransomware AMA5032150112125
Systems Affected: AWS S3 buckets
Operational Impact: potential data unrecoverability due to encryption abusedisruption of cloud storage services
Brand Reputation Impact: potential erosion of trust in cloud security practices
Incident : Cryptocurrency Mining AMA1765965358
Financial Loss: Potential resource costs from unauthorized AWS usage
Systems Affected: AWS environments, IAM configurations
Operational Impact: Degraded AWS performance, potential disruption of legitimate services
Brand Reputation Impact: Potential reputational damage for AWS and affected customers
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Data Compromised: Sensitive data, AI training datasets, personally identifiable information
Systems Affected: AI workloads, cloud environments (AWS, Microsoft Azure, Google Cloud)
Operational Impact: Disruption of AI-driven services, potential compromise of critical operations
Brand Reputation Impact: Potential erosion of trust in AI-driven services
Identity Theft Risk: High (if PII is exposed)
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Data Compromised: Credentials, sensitive employee data, system access
Systems Affected: HR systems, corporate networks
Operational Impact: Potential disruption of HR operations, follow-on attacks (e.g., ransomware)
Brand Reputation Impact: Potential reputational damage due to compromised HR processes
Identity Theft Risk: High (credential theft, PII exposure)
Incident : Data Exposure FORCISAMAJPM1767748297
Data Compromised: Sensitive data, including confidential and restricted information
Systems Affected: AWS S3 BucketsGCP Cloud StorageAWS Elastic Container ServiceGoogle CloudRunAWS EC2 User Data
Operational Impact: Potential cascade of exploitative activity by attackers accessing exposed secrets
Brand Reputation Impact: High (due to sensitive data exposure)
Identity Theft Risk: High (due to exposure of personally identifiable information)
Incident : Supply Chain Attack AMAWIZ1768515615
Data Compromised: GitHub admin tokens, repository secrets, privileged credentials
Systems Affected: AWS CodeBuild, GitHub repositories (aws-sdk-js-v3, aws-lc, amazon-corretto-crypto-provider, awslabs/open-data-registry)
Operational Impact: Potential platform-wide compromise of AWS environments
Brand Reputation Impact: High
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Data Compromised: Credentials, network access
Systems Affected: Enterprise routers, VPN concentrators, remote access gateways, EC2 instances running customer-managed network appliances
Operational Impact: Persistent access to victim networks, lateral movement
Incident : Phishing LASAMA1769009064
Data Compromised: Master passwords, Vault backups
Brand Reputation Impact: Potential reputational damage due to phishing impersonation
Identity Theft Risk: High (master passwords compromised)
Incident : Data Breach TIKAMA1769016582
Financial Loss: €530 million fine
Data Compromised: European users’ data stored on Chinese servers
Brand Reputation Impact: High
Legal Liabilities: GDPR violation
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $20.38 million.
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credit Card Details, Address, Other Personal Information, , Home Addresses, Latitude And Longitude, User Account Passwords, , Video Data, Email Addresses, Phone Numbers, , Source Code, Clients Information, Unreleased Games, , Login Information, Camera Names, Time Zones, Home Address, Phone Number, Payment Information, , Payment Card Information, , Id Scans, Personal Information, , User data and browsing habits, Potential exposure of any data stored in misconfigured S3 buckets (e.g., PII, financial data, proprietary information), Payment card information, Authentication Tokens, , Sensitive Data, Ai Training Datasets, Personally Identifiable Information (Pii), , Credentials, personally identifiable information (PII), sensitive employee data, Secrets, Confidential Data, Restricted Data, Personally Identifiable Information, , Privileged credentials (GitHub admin tokens, Personal Access Tokens), Credentials, network access, Master passwords, Vault backups and User data.
Which entities were affected by each incident ?
Incident : Data Breach AMA0417522
Entity Name: Amazon
Entity Type: Company
Industry: E-commerce
Location: Global
Size: Large
Incident : Data Breach RIN211261222
Entity Name: Ring
Entity Type: Company
Industry: Home Security
Location: Global
Incident : Data Breach AMA21461222
Entity Name: Amazon
Entity Type: Corporation
Industry: E-commerce
Location: Global
Size: Large
Incident : Data Breach RIN2178523
Entity Name: Ring
Entity Type: Company
Industry: Smart Home Technology
Customers Affected: 3672
Incident : Data Breach WHO04111223
Entity Name: Whole Foods Market
Entity Type: Retail
Industry: Grocery
Incident : Data Exposure AMA350181223
Entity Name: Bongo International
Entity Type: Private
Industry: Logistics
Location: Global
Customers Affected: 119,000
Incident : Privacy Violation AMA000072524
Entity Name: Google
Entity Type: Technology Company
Industry: Internet Services
Location: Global
Size: Large
Incident : Misconfiguration AMA000082124
Entity Name: Amazon Web Services
Entity Type: Cloud Service Provider
Industry: Technology
Customers Affected: 15000
Incident : Misconfiguration AMA505082225
Entity Name: Amazon Web Services (AWS)
Entity Type: Cloud Service Provider
Industry: Technology/Cloud Computing
Location: Global
Size: Large Enterprise
Customers Affected: All AWS customers using S3 buckets and Trusted Advisor (potential impact depends on bucket configurations)
Incident : Data Breach WHO631090125
Entity Name: Whole Foods Market Services, Inc.
Entity Type: Retail
Industry: Grocery/Supermarket
Location: California, USA (headquartered in Austin, Texas)
Customers Affected: Unknown
Incident : DDoS Attack AMA4092640092325
Entity Type: Cloud Service Providers, Organizations Using AWS EC2 with Misconfigured Docker
Incident : Service Disruption AMA0232202102125
Entity Name: Amazon Web Services (AWS)
Entity Type: Cloud Service Provider
Industry: Technology/Cloud Computing
Location: Global (primary impact in US-East-1 region)
Size: World's largest cloud provider
Customers Affected: Hundreds of services globally (e.g., Zoom, Canva, Roblox, Fortnite, Snapchat, Reddit, banks, airlines)
Incident : Service Disruption AMA0232202102125
Entity Name: Zoom
Entity Type: Software Company
Industry: Communication/Video Conferencing
Location: Global (reported disruptions in Singapore)
Incident : Service Disruption AMA0232202102125
Entity Name: Canva
Entity Type: Software Company
Industry: Graphic Design
Location: Global (reported disruptions in Singapore)
Incident : Service Disruption AMA0232202102125
Entity Name: Roblox
Entity Type: Gaming Platform
Industry: Entertainment/Gaming
Location: Global
Incident : Service Disruption AMA0232202102125
Entity Name: Fortnite (Epic Games)
Entity Type: Gaming Company
Industry: Entertainment/Gaming
Location: Global
Incident : Service Disruption AMA0232202102125
Entity Name: Snapchat (Snap Inc.)
Entity Type: Social Media Platform
Industry: Technology/Social Media
Location: Global
Incident : Service Disruption AMA0232202102125
Entity Name: Reddit
Entity Type: Social Media Platform
Industry: Technology/Social Media
Location: Global
Incident : Service Disruption AMA0232202102125
Entity Name: Unspecified Banks and Airlines
Entity Type: Financial Institutions, Aviation
Industry: Banking, Travel
Location: Global (including overseas from Singapore)
Incident : Service Disruption AMA1902119102225
Entity Name: Amazon Web Services (AWS)
Entity Type: Cloud Service Provider
Industry: Technology/Cloud Computing
Location: Northern Virginia, USA (data center)
Size: Large (30% global cloud market share)
Customers Affected: Thousands of organizations
Incident : Service Disruption AMA1902119102225
Entity Name: Xero
Entity Type: Financial Software Platform
Industry: FinTech
Location: Global
Incident : Service Disruption AMA1902119102225
Entity Name: Snapchat
Entity Type: Social Media Platform
Industry: Technology/Social Media
Location: Global
Incident : Service Disruption AMA1902119102225
Entity Name: Unspecified Banks
Entity Type: Financial Institutions
Industry: Banking
Location: Global
Incident : Vulnerability AMA0162101110725
Entity Name: Amazon Web Services (AWS)
Entity Type: Cloud Service Provider
Industry: Technology
Location: Global
Size: Large Enterprise
Customers Affected: Users of Amazon WorkSpaces client for Linux (versions 2023.0–2024.8)
Incident : ransomware AMA5032150112125
Entity Type: cloud service providers, organizations using AWS S3 buckets
Incident : Cryptocurrency Mining AMA1765965358
Entity Name: Amazon Web Services (AWS) customers
Entity Type: Cloud service users
Industry: Various (cross-industry)
Location: Global
Size: Unknown
Customers Affected: Multiple AWS accounts
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Entity Type: Organizations across industries
Industry: Healthcare, Finance, Autonomous Vehicles, General Enterprise
Location: MexicoSingaporeUKUnited StatesJapanIndiaGermanyFranceBrazilAustralia
Size: All sizes (survey included diverse organizations)
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Entity Type: Organizations with HR departments
Industry: Multiple (cross-industry)
Location: Global (targeting HR professionals via LinkedIn/Indeed)
Incident : Data Exposure FORCISAMAJPM1767748297
Entity Name: AWS Users
Entity Type: Cloud Service Provider Customers
Industry: Various
Location: Global
Incident : Data Exposure FORCISAMAJPM1767748297
Entity Name: GCP Users
Entity Type: Cloud Service Provider Customers
Industry: Various
Location: Global
Incident : Data Exposure FORCISAMAJPM1767748297
Entity Name: Microsoft Azure Users
Entity Type: Cloud Service Provider Customers
Industry: Various
Location: Global
Incident : Supply Chain Attack AMAWIZ1768515615
Entity Name: Amazon Web Services (AWS)
Entity Type: Cloud Service Provider
Industry: Technology/Cloud Computing
Location: Global
Size: Large
Customers Affected: All AWS customers (potentially)
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Entity Type: Energy sector organizations, businesses with cloud-hosted network infrastructure
Industry: Energy, Cloud Infrastructure
Location: Western nationsNorth AmericaEurope
Incident : Phishing LASAMA1769009064
Entity Name: LastPass
Entity Type: Company
Industry: Cybersecurity, Password Management
Customers Affected: LastPass users (unspecified number)
Incident : Data Breach TIKAMA1769016582
Entity Name: TikTok
Entity Type: Social Media Platform
Industry: Technology
Location: Ireland (HQ for European operations)
Customers Affected: European users
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach AMA0417522
Communication Strategy: Public demand for social engineering training
Incident : Data Breach AMA21461222
Remediation Measures: Fired Employees
Incident : Data Exposure AMA350181223
Containment Measures: Removed the S3 bucket
Incident : Bug/Exploit RIN709072225
Remediation Measures: Ring is deploying a fix
Communication Strategy: Ring posted on Facebook and updated its status page
Incident : Misconfiguration AMA505082225
Incident Response Plan Activated: True
Third Party Assistance: Fog Security (Researchers Who Discovered The Issue).
Containment Measures: AWS implemented fixes to Trusted Advisor in June 2025 to correctly detect misconfigured bucketsEmails sent to customers notifying them of the issue and fixes
Remediation Measures: Customers advised to enable Block Public Access Settings at account and bucket levelsSwitch from ACLs to IAM policies recommendedManual review of S3 bucket configurations urged
Recovery Measures: AWS Trusted Advisor now displays correct bucket statusOpen-source tool released by Fog Security to scan S3 resources for access issues
Communication Strategy: AWS sent emails to customers (though coverage may be incomplete)Public disclosure via cybersecurity news outlets (e.g., Help Net Security)
Incident : Data Breach WHO631090125
Communication Strategy: Public disclosure via California Office of the Attorney General
Incident : DDoS Attack AMA4092640092325
Third Party Assistance: Darktrace (Detection And Analysis).
Remediation Measures: Securing Exposed Docker APIsDisabling Unnecessary External Access to Docker DaemonsReviewing AWS EC2 Configurations
Enhanced Monitoring: Darktrace Honeypots for Detection
Incident : Service Disruption AMA0232202102125
Incident Response Plan Activated: Yes (AWS acknowledged increased error rates and latencies; detailed post-event summary pending)
Containment Measures: Resolved DNS resolution issuesAddressed impairments in internal subsystem for network load balancer health monitoring
Remediation Measures: Cleared backlog of internet traffic requestsRestored services to normal operations
Recovery Measures: Full service restoration after ~16 hours
Communication Strategy: Public acknowledgment via AWS status website; spokeswoman provided updates to media (no detailed timeline for post-event summary)
Incident : Service Disruption AMA1902119102225
Incident Response Plan Activated: Yes (AWS reported fixing the underlying issue)
Containment Measures: Technical fix applied to data center malfunction
Incident : Vulnerability AMA0162101110725
Incident Response Plan Activated: True
Containment Measures: Urgent Security Bulletin (AWS-2025-025)End-of-Support Notification for Affected Versions
Remediation Measures: Upgrade to Amazon WorkSpaces client for Linux version 2025.0 or newer
Communication Strategy: Security BulletinDirect Outreach via [email protected] Advisory
Incident : ransomware AMA5032150112125
Remediation Measures: hardening S3 bucket configurationsenhancing encryption key managementmonitoring for abnormal key rotation activities
Enhanced Monitoring: cloud-native security tools for encryption/key management anomalies
Incident : Cryptocurrency Mining AMA1765965358
Containment Measures: Immediate rotation of IAM credentials, monitoring for unusual activity
Remediation Measures: Implementation of multifactor authentication (MFA), security audits, engagement with AWS support
Enhanced Monitoring: Amazon GuardDuty for threat detection
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Third Party Assistance: Unit 42 (Palo Alto Networks)
Remediation Measures: Proactive cloud security policies, encryption standards, regular security audits, isolation of AI workloads
Network Segmentation: Recommended as part of holistic security approach
Enhanced Monitoring: Recommended for AI workloads and cloud environments
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Containment Measures: AWS Trust & Safety abuse reporting process, disabling prohibited content
Remediation Measures: Layered defenses, enhanced monitoring for unusual traffic patterns/file types, additional verification procedures for resume submissions
Enhanced Monitoring: Recommended (vigilance for unusual traffic patterns or file types)
Incident : Data Exposure FORCISAMAJPM1767748297
Enhanced Monitoring: Enabled identity-checking service (80%+ of AWS users)
Incident : Supply Chain Attack AMAWIZ1768515615
Incident Response Plan Activated: Yes
Third Party Assistance: Wiz (cloud security company)
Containment Measures: Remediation of misconfigured webhook filters, credential rotations
Remediation Measures: Anchoring regex patterns, enabling Pull Request Comment Approval build gate, using CodeBuild-hosted runners, limiting PAT permissions
Recovery Measures: Securing build processes containing GitHub tokens or credentials in memory
Communication Strategy: Public advisory released by AWS and Wiz
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Containment Measures: Disruption of active threat operations, customer notifications
Communication Strategy: Public disclosure by Amazon's Threat Intelligence unit
Incident : Phishing LASAMA1769009064
Third Party Assistance: Yes (partners to dismantle malicious infrastructure)
Containment Measures: Working to dismantle phishing infrastructure, urging users to delete suspicious emails
Remediation Measures: Reinforcing phishing awareness, blocking identified sender addresses
Communication Strategy: Advising users to report suspicious emails to [email protected], clarifying legitimate communication practices
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (AWS acknowledged increased error rates and latencies; detailed post-event summary pending), Yes (AWS reported fixing the underlying issue), , Yes.
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Fog Security (researchers who discovered the issue), , Darktrace (Detection and Analysis), , Unit 42 (Palo Alto Networks), Wiz (cloud security company), Yes (partners to dismantle malicious infrastructure).
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach AMA0417522
Type of Data Compromised: Credit card details, Address, Other personal information
Sensitivity of Data: High
Data Exfiltration: Yes
Personally Identifiable Information: Yes
Incident : Data Breach RIN01518622
Type of Data Compromised: Home addresses, Latitude and longitude, User account passwords
Number of Records Exposed: 1500
Sensitivity of Data: High
Incident : Data Breach RIN211261222
Type of Data Compromised: Video Data
Sensitivity of Data: High
File Types Exposed: Video Files
Incident : Data Breach AMA21461222
Type of Data Compromised: Email addresses, Phone numbers
Sensitivity of Data: Medium
Incident : Data Breach TWI19174123
Type of Data Compromised: Source code, Clients information, Unreleased games
Incident : Data Breach RIN2178523
Type of Data Compromised: Login information, Camera names, Time zones, Home address, Phone number, Payment information
Number of Records Exposed: 3672
Sensitivity of Data: High
Incident : Data Breach WHO04111223
Type of Data Compromised: Payment card information
Sensitivity of Data: High
Incident : Data Exposure AMA350181223
Type of Data Compromised: Id scans, Personal information
Number of Records Exposed: 119,000
Sensitivity of Data: High
Data Encryption: No
File Types Exposed: ID scansUnencrypted data
Personally Identifiable Information: Yes
Incident : Privacy Violation AMA000072524
Type of Data Compromised: User data and browsing habits
Sensitivity of Data: High
Incident : Misconfiguration AMA505082225
Type of Data Compromised: Potential exposure of any data stored in misconfigured S3 buckets (e.g., PII, financial data, proprietary information)
Sensitivity of Data: Varies (high risk if buckets contain sensitive/regulated data)
Data Exfiltration: Possible (if attackers exploit the misconfiguration)
Personally Identifiable Information: Possible (if stored in affected buckets)
Incident : Data Breach WHO631090125
Type of Data Compromised: Payment card information
Number of Records Exposed: Unknown
Sensitivity of Data: High
Data Exfiltration: Likely (unauthorized access confirmed)
Incident : Vulnerability AMA0162101110725
Type of Data Compromised: Authentication tokens
Sensitivity of Data: High (Session Access Tokens)
Data Exfiltration: Potential Token Theft by Local Users
Incident : ransomware AMA5032150112125
Data Encryption: ['abuse of cloud-native encryption to render data unrecoverable']
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Type of Data Compromised: Sensitive data, Ai training datasets, Personally identifiable information (pii)
Sensitivity of Data: High
Data Exfiltration: Possible (if cloud infrastructure is breached)
Data Encryption: Recommended but not universally implemented
Personally Identifiable Information: Possible
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Type of Data Compromised: Credentials, personally identifiable information (PII), sensitive employee data
Sensitivity of Data: High (PII, credentials, HR data)
Data Exfiltration: Possible (More_eggs malware enables follow-on attacks)
File Types Exposed: Malicious ZIP files containing JavaScript-based malware (More_eggs)
Personally Identifiable Information: Yes (credentials, HR data)
Incident : Data Exposure FORCISAMAJPM1767748297
Type of Data Compromised: Secrets, Confidential data, Restricted data, Personally identifiable information
Sensitivity of Data: High (confidential/restricted)
Personally Identifiable Information: Yes
Incident : Supply Chain Attack AMAWIZ1768515615
Type of Data Compromised: Privileged credentials (GitHub admin tokens, Personal Access Tokens)
Sensitivity of Data: High
Data Exfiltration: Potential (if exploited)
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Type of Data Compromised: Credentials, network access
Sensitivity of Data: High (critical infrastructure access)
Incident : Phishing LASAMA1769009064
Type of Data Compromised: Master passwords, Vault backups
Sensitivity of Data: High (password manager credentials)
Personally Identifiable Information: Potentially (if vaults contained PII)
Incident : Data Breach TIKAMA1769016582
Type of Data Compromised: User data
Sensitivity of Data: High (personal data of European users)
Personally Identifiable Information: Yes
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Fired Employees, , Ring is deploying a fix, , Customers advised to enable Block Public Access Settings at account and bucket levels, Switch from ACLs to IAM policies recommended, Manual review of S3 bucket configurations urged, , Securing Exposed Docker APIs, Disabling Unnecessary External Access to Docker Daemons, Reviewing AWS EC2 Configurations, , Cleared backlog of internet traffic requests, Restored services to normal operations, , Upgrade to Amazon WorkSpaces client for Linux version 2025.0 or newer, , hardening S3 bucket configurations, enhancing encryption key management, monitoring for abnormal key rotation activities, , Implementation of multifactor authentication (MFA), security audits, engagement with AWS support, Proactive cloud security policies, encryption standards, regular security audits, isolation of AI workloads, Layered defenses, enhanced monitoring for unusual traffic patterns/file types, additional verification procedures for resume submissions, Anchoring regex patterns, enabling Pull Request Comment Approval build gate, using CodeBuild-hosted runners, limiting PAT permissions, Reinforcing phishing awareness, blocking identified sender addresses.
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by removed the s3 bucket, , aws implemented fixes to trusted advisor in june 2025 to correctly detect misconfigured buckets, emails sent to customers notifying them of the issue and fixes, , resolved dns resolution issues, addressed impairments in internal subsystem for network load balancer health monitoring, , technical fix applied to data center malfunction, , urgent security bulletin (aws-2025-025), end-of-support notification for affected versions, , immediate rotation of iam credentials, monitoring for unusual activity, aws trust & safety abuse reporting process, disabling prohibited content, remediation of misconfigured webhook filters, credential rotations, disruption of active threat operations, customer notifications, working to dismantle phishing infrastructure and urging users to delete suspicious emails.
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : ransomware AMA5032150112125
Data Encryption: ['cloud-native encryption abuse (e.g., key rotation)']
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Data Exfiltration: Possible (More_eggs enables follow-on attacks)
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through AWS Trusted Advisor now displays correct bucket status, Open-source tool released by Fog Security to scan S3 resources for access issues, , Full service restoration after ~16 hours, Securing build processes containing GitHub tokens or credentials in memory.
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Privacy Violation AMA000072524
Regulations Violated: HIPAA, GDPR,
Incident : Misconfiguration AMA505082225
Regulations Violated: Potential violations of GDPR, CCPA, HIPAA, or other data protection laws if sensitive data is exposed,
Incident : Data Breach WHO631090125
Regulations Violated: Potential violation of California data breach notification laws (e.g., CCPA precursor),
Regulatory Notifications: California Office of the Attorney General
Incident : Service Disruption AMA0232202102125
Regulatory Notifications: Singapore's upcoming Digital Infrastructure Act (to be tabled in Parliament) aims to enhance accountability for cloud providers and data centers post-incident
Incident : Data Breach TIKAMA1769016582
Regulations Violated: GDPR,
Fines Imposed: €530 million
Legal Actions: Fine upheld by Irish Data Protection Commission
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Fine upheld by Irish Data Protection Commission.
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach AMA0417522
Lessons Learned: Importance of social engineering training for employees
Incident : Privacy Violation AMA000072524
Lessons Learned: The need for clear user consent and transparency in data collection practices.
Incident : Misconfiguration AMA505082225
Lessons Learned: Over-reliance on automated security tools (e.g., Trusted Advisor) can create blind spots if their detection mechanisms are bypassable., Complex IAM/bucket policies increase the risk of misconfigurations that may not be caught by standard checks., Proactive manual reviews and third-party tools are critical for validating cloud security postures., Customer notifications for security issues must be comprehensive and clear about risks.
Incident : DDoS Attack AMA4092640092325
Lessons Learned: Exposed Docker APIs on cloud instances are a significant attack vector for DDoS campaigns., Threat actors are industrializing cybercrime with user-friendly tools (e.g., APIs, dashboards) for DDoS attacks., Misconfigurations in cloud-native environments (e.g., AWS EC2) can serve as launchpads for broader attacks., Building malicious containers on victim machines may reduce forensic evidence compared to importing prebuilt images.
Incident : Service Disruption AMA0232202102125
Lessons Learned: Overreliance on legacy technologies (e.g., DNS) poses systemic risks in cloud-era demands., Highly concentrated risk in single providers (e.g., AWS) can disrupt global operations akin to cyber attacks., Need for fortified cloud resilience and redundancy to mitigate ripple effects on digital economies., Government intervention (e.g., Singapore's Digital Infrastructure Act) may be necessary to enforce higher security/resilience standards.
Incident : Service Disruption AMA1902119102225
Lessons Learned: Heavy reliance on a few cloud providers (AWS, Azure, Google Cloud) creates single points of failure., Vendor lock-in traps customers due to complex data architectures and high egress costs., Geopolitical/regulatory risks arise from US-based providers subject to US laws, complicating international compliance (e.g., Australia’s Privacy Act)., Cloud providers hold significant control over service access and censorship.
Incident : Vulnerability AMA0162101110725
Lessons Learned: Importance of robust token management in cloud desktop environments., Critical need for timely software updates in shared/multi-user systems., Proactive communication with users during vulnerability disclosures.
Incident : ransomware AMA5032150112125
Lessons Learned: Attackers are evolving tactics to abuse legitimate cloud services (e.g., encryption/key management) as perimeter defenses improve., Organizations must monitor cloud-native security controls beyond traditional perimeter protections.
Incident : Cryptocurrency Mining AMA1765965358
Lessons Learned: Critical need for strong IAM protocols, regular security audits, and automated threat detection systems like GuardDuty to mitigate cloud-based threats.
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Lessons Learned: AI security is fundamentally a cloud infrastructure problem. Reactive approaches are insufficient; organizations must adopt proactive, systematic, and scientific methods to secure AI systems. Cloud security must be treated as a foundational element of AI security.
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Lessons Learned: Traditional perimeter security is insufficient against social engineering tactics. Organizations must adopt holistic security strategies that account for human factors alongside technological defenses. HR personnel are increasingly targeted due to their regular interaction with external contacts.
Incident : Data Exposure FORCISAMAJPM1767748297
Lessons Learned: Organizations must prioritize secure cloud configurations, regularly audit cloud storage settings, and avoid storing sensitive data in publicly accessible or misconfigured buckets. AWS, GCP, and Azure users should enable identity-checking services and monitor for exposed secrets.
Incident : Supply Chain Attack AMAWIZ1768515615
Lessons Learned: CI/CD pipeline security is critical, especially for untrusted contributions. Misconfigurations in webhook filters can lead to high-impact breaches. Anchoring regex patterns and limiting PAT permissions are essential mitigations.
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Lessons Learned: Shift in Sandworm tactics from zero-day exploits to low-effort targeting of misconfigured devices; importance of securing edge devices and cloud-hosted network infrastructure.
Incident : Phishing LASAMA1769009064
Lessons Learned: Phishing campaigns often exploit reduced security staffing during holidays. Urgent language and credential requests in emails should be treated with heightened suspicion. Password manager users are high-value targets for credential harvesting.
Incident : Data Breach TIKAMA1769016582
Lessons Learned: Need for stricter safeguards in international data transfers, especially to non-U.S. countries.
What recommendations were made to prevent future incidents ?
Incident : Data Breach AMA0417522
Recommendations: Implement social engineering training programs
Incident : Privacy Violation AMA000072524
Recommendations: Implement stricter data privacy policies and ensure compliance with relevant regulations.
Incident : Bug/Exploit RIN709072225
Recommendations: Review authorized devices, Change account password, Enable two-factor authenticationReview authorized devices, Change account password, Enable two-factor authenticationReview authorized devices, Change account password, Enable two-factor authentication
Incident : Misconfiguration AMA505082225
Recommendations: Enable AWS Block Public Access Settings at both account and bucket levels., Replace legacy ACLs with IAM policies for finer-grained access control., Regularly audit S3 bucket configurations using AWS tools and third-party scanners (e.g., Fog Security’s open-source tool)., Monitor for unusual access patterns or policy changes in S3 buckets., AWS should improve the clarity and reach of security advisories to ensure all affected customers are notified.Enable AWS Block Public Access Settings at both account and bucket levels., Replace legacy ACLs with IAM policies for finer-grained access control., Regularly audit S3 bucket configurations using AWS tools and third-party scanners (e.g., Fog Security’s open-source tool)., Monitor for unusual access patterns or policy changes in S3 buckets., AWS should improve the clarity and reach of security advisories to ensure all affected customers are notified.Enable AWS Block Public Access Settings at both account and bucket levels., Replace legacy ACLs with IAM policies for finer-grained access control., Regularly audit S3 bucket configurations using AWS tools and third-party scanners (e.g., Fog Security’s open-source tool)., Monitor for unusual access patterns or policy changes in S3 buckets., AWS should improve the clarity and reach of security advisories to ensure all affected customers are notified.Enable AWS Block Public Access Settings at both account and bucket levels., Replace legacy ACLs with IAM policies for finer-grained access control., Regularly audit S3 bucket configurations using AWS tools and third-party scanners (e.g., Fog Security’s open-source tool)., Monitor for unusual access patterns or policy changes in S3 buckets., AWS should improve the clarity and reach of security advisories to ensure all affected customers are notified.Enable AWS Block Public Access Settings at both account and bucket levels., Replace legacy ACLs with IAM policies for finer-grained access control., Regularly audit S3 bucket configurations using AWS tools and third-party scanners (e.g., Fog Security’s open-source tool)., Monitor for unusual access patterns or policy changes in S3 buckets., AWS should improve the clarity and reach of security advisories to ensure all affected customers are notified.
Incident : DDoS Attack AMA4092640092325
Recommendations: Disable external access to Docker daemons unless absolutely necessary., Regularly audit cloud configurations (e.g., AWS EC2) for exposed services., Implement network segmentation to limit lateral movement from compromised containers., Use behavioral detection tools (e.g., Darktrace) to identify anomalous container activity., Monitor for unauthorized use of Docker SDK or container deployment tools.Disable external access to Docker daemons unless absolutely necessary., Regularly audit cloud configurations (e.g., AWS EC2) for exposed services., Implement network segmentation to limit lateral movement from compromised containers., Use behavioral detection tools (e.g., Darktrace) to identify anomalous container activity., Monitor for unauthorized use of Docker SDK or container deployment tools.Disable external access to Docker daemons unless absolutely necessary., Regularly audit cloud configurations (e.g., AWS EC2) for exposed services., Implement network segmentation to limit lateral movement from compromised containers., Use behavioral detection tools (e.g., Darktrace) to identify anomalous container activity., Monitor for unauthorized use of Docker SDK or container deployment tools.Disable external access to Docker daemons unless absolutely necessary., Regularly audit cloud configurations (e.g., AWS EC2) for exposed services., Implement network segmentation to limit lateral movement from compromised containers., Use behavioral detection tools (e.g., Darktrace) to identify anomalous container activity., Monitor for unauthorized use of Docker SDK or container deployment tools.Disable external access to Docker daemons unless absolutely necessary., Regularly audit cloud configurations (e.g., AWS EC2) for exposed services., Implement network segmentation to limit lateral movement from compromised containers., Use behavioral detection tools (e.g., Darktrace) to identify anomalous container activity., Monitor for unauthorized use of Docker SDK or container deployment tools.
Incident : Service Disruption AMA0232202102125
Recommendations: Modernize DNS and critical infrastructure to meet cloud-era demands., Implement redundancy and failover mechanisms for core services like DNS and load balancers., Enhance transparency in post-incident disclosures (e.g., timely root cause analysis)., Diversify cloud dependencies to reduce single points of failure., Strengthen collaboration between cloud providers and regulators to improve resilience standards.Modernize DNS and critical infrastructure to meet cloud-era demands., Implement redundancy and failover mechanisms for core services like DNS and load balancers., Enhance transparency in post-incident disclosures (e.g., timely root cause analysis)., Diversify cloud dependencies to reduce single points of failure., Strengthen collaboration between cloud providers and regulators to improve resilience standards.Modernize DNS and critical infrastructure to meet cloud-era demands., Implement redundancy and failover mechanisms for core services like DNS and load balancers., Enhance transparency in post-incident disclosures (e.g., timely root cause analysis)., Diversify cloud dependencies to reduce single points of failure., Strengthen collaboration between cloud providers and regulators to improve resilience standards.Modernize DNS and critical infrastructure to meet cloud-era demands., Implement redundancy and failover mechanisms for core services like DNS and load balancers., Enhance transparency in post-incident disclosures (e.g., timely root cause analysis)., Diversify cloud dependencies to reduce single points of failure., Strengthen collaboration between cloud providers and regulators to improve resilience standards.Modernize DNS and critical infrastructure to meet cloud-era demands., Implement redundancy and failover mechanisms for core services like DNS and load balancers., Enhance transparency in post-incident disclosures (e.g., timely root cause analysis)., Diversify cloud dependencies to reduce single points of failure., Strengthen collaboration between cloud providers and regulators to improve resilience standards.
Incident : Service Disruption AMA1902119102225
Recommendations: Mitigate risks by diversifying cloud providers or adopting multi-cloud strategies., Negotiate contracts to reduce vendor lock-in and data egress costs., Assess geopolitical/regulatory risks when selecting cloud providers., Implement redundancy and backup systems to minimize downtime impact.Mitigate risks by diversifying cloud providers or adopting multi-cloud strategies., Negotiate contracts to reduce vendor lock-in and data egress costs., Assess geopolitical/regulatory risks when selecting cloud providers., Implement redundancy and backup systems to minimize downtime impact.Mitigate risks by diversifying cloud providers or adopting multi-cloud strategies., Negotiate contracts to reduce vendor lock-in and data egress costs., Assess geopolitical/regulatory risks when selecting cloud providers., Implement redundancy and backup systems to minimize downtime impact.Mitigate risks by diversifying cloud providers or adopting multi-cloud strategies., Negotiate contracts to reduce vendor lock-in and data egress costs., Assess geopolitical/regulatory risks when selecting cloud providers., Implement redundancy and backup systems to minimize downtime impact.
Incident : Vulnerability AMA0162101110725
Recommendations: Immediately upgrade to Amazon WorkSpaces client for Linux version 2025.0 or later., Monitor shared/multi-user Linux environments for unauthorized WorkSpace access., Implement least-privilege principles for local user permissions., Regularly audit authentication token handling in virtual desktop solutions.Immediately upgrade to Amazon WorkSpaces client for Linux version 2025.0 or later., Monitor shared/multi-user Linux environments for unauthorized WorkSpace access., Implement least-privilege principles for local user permissions., Regularly audit authentication token handling in virtual desktop solutions.Immediately upgrade to Amazon WorkSpaces client for Linux version 2025.0 or later., Monitor shared/multi-user Linux environments for unauthorized WorkSpace access., Implement least-privilege principles for local user permissions., Regularly audit authentication token handling in virtual desktop solutions.Immediately upgrade to Amazon WorkSpaces client for Linux version 2025.0 or later., Monitor shared/multi-user Linux environments for unauthorized WorkSpace access., Implement least-privilege principles for local user permissions., Regularly audit authentication token handling in virtual desktop solutions.
Incident : ransomware AMA5032150112125
Recommendations: Implement strict access controls and encryption key management policies for S3 buckets., Monitor for unusual key rotation or encryption activities in cloud environments., Adopt zero-trust principles for cloud storage services., Regularly audit S3 bucket configurations for misconfigurations.Implement strict access controls and encryption key management policies for S3 buckets., Monitor for unusual key rotation or encryption activities in cloud environments., Adopt zero-trust principles for cloud storage services., Regularly audit S3 bucket configurations for misconfigurations.Implement strict access controls and encryption key management policies for S3 buckets., Monitor for unusual key rotation or encryption activities in cloud environments., Adopt zero-trust principles for cloud storage services., Regularly audit S3 bucket configurations for misconfigurations.Implement strict access controls and encryption key management policies for S3 buckets., Monitor for unusual key rotation or encryption activities in cloud environments., Adopt zero-trust principles for cloud storage services., Regularly audit S3 bucket configurations for misconfigurations.
Incident : Cryptocurrency Mining AMA1765965358
Recommendations: Rotate IAM credentials immediately to prevent unauthorized access, Enable multifactor authentication (MFA) for all AWS accounts, Monitor AWS accounts for unusual activity or configurations, Engage with AWS support or security teams for incident response guidance, Conduct regular security audits and reviews of AWS environmentsRotate IAM credentials immediately to prevent unauthorized access, Enable multifactor authentication (MFA) for all AWS accounts, Monitor AWS accounts for unusual activity or configurations, Engage with AWS support or security teams for incident response guidance, Conduct regular security audits and reviews of AWS environmentsRotate IAM credentials immediately to prevent unauthorized access, Enable multifactor authentication (MFA) for all AWS accounts, Monitor AWS accounts for unusual activity or configurations, Engage with AWS support or security teams for incident response guidance, Conduct regular security audits and reviews of AWS environmentsRotate IAM credentials immediately to prevent unauthorized access, Enable multifactor authentication (MFA) for all AWS accounts, Monitor AWS accounts for unusual activity or configurations, Engage with AWS support or security teams for incident response guidance, Conduct regular security audits and reviews of AWS environmentsRotate IAM credentials immediately to prevent unauthorized access, Enable multifactor authentication (MFA) for all AWS accounts, Monitor AWS accounts for unusual activity or configurations, Engage with AWS support or security teams for incident response guidance, Conduct regular security audits and reviews of AWS environments
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Recommendations: Implement strong cloud security policies and encryption standards., Conduct regular security audits of cloud environments hosting AI workloads., Isolate AI workloads from potential vulnerabilities in the cloud., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enhance network segmentation and monitoring for AI systems.Implement strong cloud security policies and encryption standards., Conduct regular security audits of cloud environments hosting AI workloads., Isolate AI workloads from potential vulnerabilities in the cloud., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enhance network segmentation and monitoring for AI systems.Implement strong cloud security policies and encryption standards., Conduct regular security audits of cloud environments hosting AI workloads., Isolate AI workloads from potential vulnerabilities in the cloud., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enhance network segmentation and monitoring for AI systems.Implement strong cloud security policies and encryption standards., Conduct regular security audits of cloud environments hosting AI workloads., Isolate AI workloads from potential vulnerabilities in the cloud., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enhance network segmentation and monitoring for AI systems.Implement strong cloud security policies and encryption standards., Conduct regular security audits of cloud environments hosting AI workloads., Isolate AI workloads from potential vulnerabilities in the cloud., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enhance network segmentation and monitoring for AI systems.Implement strong cloud security policies and encryption standards., Conduct regular security audits of cloud environments hosting AI workloads., Isolate AI workloads from potential vulnerabilities in the cloud., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enhance network segmentation and monitoring for AI systems.
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Recommendations: Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Adopt additional verification procedures for resume submissions and external communications., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges.Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Adopt additional verification procedures for resume submissions and external communications., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges.Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Adopt additional verification procedures for resume submissions and external communications., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges.Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Adopt additional verification procedures for resume submissions and external communications., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges.Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Adopt additional verification procedures for resume submissions and external communications., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges.Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Adopt additional verification procedures for resume submissions and external communications., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges.
Incident : Data Exposure FORCISAMAJPM1767748297
Recommendations: Conduct regular audits of cloud storage configurations, Enable identity-checking services (e.g., AWS IAM), Avoid storing sensitive data in user data or environment variables, Implement network segmentation and enhanced monitoring, Adopt secure development practices to prevent misconfigurationsConduct regular audits of cloud storage configurations, Enable identity-checking services (e.g., AWS IAM), Avoid storing sensitive data in user data or environment variables, Implement network segmentation and enhanced monitoring, Adopt secure development practices to prevent misconfigurationsConduct regular audits of cloud storage configurations, Enable identity-checking services (e.g., AWS IAM), Avoid storing sensitive data in user data or environment variables, Implement network segmentation and enhanced monitoring, Adopt secure development practices to prevent misconfigurationsConduct regular audits of cloud storage configurations, Enable identity-checking services (e.g., AWS IAM), Avoid storing sensitive data in user data or environment variables, Implement network segmentation and enhanced monitoring, Adopt secure development practices to prevent misconfigurationsConduct regular audits of cloud storage configurations, Enable identity-checking services (e.g., AWS IAM), Avoid storing sensitive data in user data or environment variables, Implement network segmentation and enhanced monitoring, Adopt secure development practices to prevent misconfigurations
Incident : Supply Chain Attack AMAWIZ1768515615
Recommendations: Enable Pull Request Comment Approval build gate for untrusted contributions, Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Ensure regex patterns in webhook filters are anchored (use ^ and $), Generate a unique PAT for each CodeBuild project, Limit PAT permissions to the minimum required, Use a dedicated unprivileged GitHub account for CodeBuild integrationEnable Pull Request Comment Approval build gate for untrusted contributions, Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Ensure regex patterns in webhook filters are anchored (use ^ and $), Generate a unique PAT for each CodeBuild project, Limit PAT permissions to the minimum required, Use a dedicated unprivileged GitHub account for CodeBuild integrationEnable Pull Request Comment Approval build gate for untrusted contributions, Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Ensure regex patterns in webhook filters are anchored (use ^ and $), Generate a unique PAT for each CodeBuild project, Limit PAT permissions to the minimum required, Use a dedicated unprivileged GitHub account for CodeBuild integrationEnable Pull Request Comment Approval build gate for untrusted contributions, Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Ensure regex patterns in webhook filters are anchored (use ^ and $), Generate a unique PAT for each CodeBuild project, Limit PAT permissions to the minimum required, Use a dedicated unprivileged GitHub account for CodeBuild integrationEnable Pull Request Comment Approval build gate for untrusted contributions, Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Ensure regex patterns in webhook filters are anchored (use ^ and $), Generate a unique PAT for each CodeBuild project, Limit PAT permissions to the minimum required, Use a dedicated unprivileged GitHub account for CodeBuild integrationEnable Pull Request Comment Approval build gate for untrusted contributions, Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Ensure regex patterns in webhook filters are anchored (use ^ and $), Generate a unique PAT for each CodeBuild project, Limit PAT permissions to the minimum required, Use a dedicated unprivileged GitHub account for CodeBuild integration
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Recommendations: Secure management interfaces on edge devices, enforce proper configurations, monitor for persistent connections from actor-controlled IPs, collaborate with cloud providers for threat intelligence.
Incident : Phishing LASAMA1769009064
Recommendations: Bolster email security controls to block messages from identified sender addresses. Reinforce phishing awareness training, particularly regarding urgent language and unsolicited credential requests. Encourage users to report suspicious emails to designated abuse contacts.
Incident : Data Breach TIKAMA1769016582
Recommendations: Implement robust data protection measures for cross-border data flows, ensure transparency in data storage practices, and comply with GDPR requirements for international transfers.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Importance of social engineering training for employeesThe need for clear user consent and transparency in data collection practices.Over-reliance on automated security tools (e.g., Trusted Advisor) can create blind spots if their detection mechanisms are bypassable.,Complex IAM/bucket policies increase the risk of misconfigurations that may not be caught by standard checks.,Proactive manual reviews and third-party tools are critical for validating cloud security postures.,Customer notifications for security issues must be comprehensive and clear about risks.Exposed Docker APIs on cloud instances are a significant attack vector for DDoS campaigns.,Threat actors are industrializing cybercrime with user-friendly tools (e.g., APIs, dashboards) for DDoS attacks.,Misconfigurations in cloud-native environments (e.g., AWS EC2) can serve as launchpads for broader attacks.,Building malicious containers on victim machines may reduce forensic evidence compared to importing prebuilt images.Overreliance on legacy technologies (e.g., DNS) poses systemic risks in cloud-era demands.,Highly concentrated risk in single providers (e.g., AWS) can disrupt global operations akin to cyber attacks.,Need for fortified cloud resilience and redundancy to mitigate ripple effects on digital economies.,Government intervention (e.g., Singapore's Digital Infrastructure Act) may be necessary to enforce higher security/resilience standards.Heavy reliance on a few cloud providers (AWS, Azure, Google Cloud) creates single points of failure.,Vendor lock-in traps customers due to complex data architectures and high egress costs.,Geopolitical/regulatory risks arise from US-based providers subject to US laws, complicating international compliance (e.g., Australia’s Privacy Act).,Cloud providers hold significant control over service access and censorship.Importance of robust token management in cloud desktop environments.,Critical need for timely software updates in shared/multi-user systems.,Proactive communication with users during vulnerability disclosures.Attackers are evolving tactics to abuse legitimate cloud services (e.g., encryption/key management) as perimeter defenses improve.,Organizations must monitor cloud-native security controls beyond traditional perimeter protections.Critical need for strong IAM protocols, regular security audits, and automated threat detection systems like GuardDuty to mitigate cloud-based threats.AI security is fundamentally a cloud infrastructure problem. Reactive approaches are insufficient; organizations must adopt proactive, systematic, and scientific methods to secure AI systems. Cloud security must be treated as a foundational element of AI security.Traditional perimeter security is insufficient against social engineering tactics. Organizations must adopt holistic security strategies that account for human factors alongside technological defenses. HR personnel are increasingly targeted due to their regular interaction with external contacts.Organizations must prioritize secure cloud configurations, regularly audit cloud storage settings, and avoid storing sensitive data in publicly accessible or misconfigured buckets. AWS, GCP, and Azure users should enable identity-checking services and monitor for exposed secrets.CI/CD pipeline security is critical, especially for untrusted contributions. Misconfigurations in webhook filters can lead to high-impact breaches. Anchoring regex patterns and limiting PAT permissions are essential mitigations.Shift in Sandworm tactics from zero-day exploits to low-effort targeting of misconfigured devices; importance of securing edge devices and cloud-hosted network infrastructure.Phishing campaigns often exploit reduced security staffing during holidays. Urgent language and credential requests in emails should be treated with heightened suspicion. Password manager users are high-value targets for credential harvesting.Need for stricter safeguards in international data transfers, especially to non-U.S. countries.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Implement robust data protection measures for cross-border data flows, ensure transparency in data storage practices, and comply with GDPR requirements for international transfers., Rotate IAM credentials immediately to prevent unauthorized access, Implement network segmentation and enhanced monitoring, Conduct regular security audits and reviews of AWS environments, Secure management interfaces on edge devices, enforce proper configurations, monitor for persistent connections from actor-controlled IPs, collaborate with cloud providers for threat intelligence., Implement stricter data privacy policies and ensure compliance with relevant regulations., Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Adopt secure development practices to prevent misconfigurations, Implement strong cloud security policies and encryption standards., Avoid storing sensitive data in user data or environment variables, Conduct regular audits of cloud storage configurations, Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enable identity-checking services (e.g., AWS IAM), Implement social engineering training programs, Monitor AWS accounts for unusual activity or configurations, Isolate AI workloads from potential vulnerabilities in the cloud., Conduct regular security audits of cloud environments hosting AI workloads., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Adopt additional verification procedures for resume submissions and external communications., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Bolster email security controls to block messages from identified sender addresses. Reinforce phishing awareness training, particularly regarding urgent language and unsolicited credential requests. Encourage users to report suspicious emails to designated abuse contacts., Enable multifactor authentication (MFA) for all AWS accounts, Engage with AWS support or security teams for incident response guidance, Enhance network segmentation and monitoring for AI systems. and Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges..
References
Where can I find more information about each incident ?
Incident : Data Breach TWI19174123
Source: Video Games Chronicle
Incident : Privacy Violation AMA000072524
Source: webXray
Incident : Misconfiguration AMA000082124
Source: Security firm Miggo
Incident : Bug/Exploit RIN709072225
Source: BleepingComputer
Incident : Misconfiguration AMA505082225
Source: Help Net Security
Incident : Misconfiguration AMA505082225
Source: Fog Security Research
Incident : Data Breach WHO631090125
Source: California Office of the Attorney General
Incident : DDoS Attack AMA4092640092325
Source: Darktrace Blog Post
Incident : DDoS Attack AMA4092640092325
Source: Shane Barney, CISO at Keeper Security
Incident : Service Disruption AMA0232202102125
Source: The Straits Times (ST)
Incident : Service Disruption AMA0232202102125
Source: AWS Status Page
Incident : Service Disruption AMA0232202102125
Source: Keeper Security (Darren Guccione, CEO)
Incident : Service Disruption AMA0232202102125
Source: Forrester (Brent Ellis, Principal Analyst)
Incident : Service Disruption AMA1902119102225
Source: The Conversation
Incident : Vulnerability AMA0162101110725
Source: AWS Security Bulletin AWS-2025-025
Date Accessed: 2025-11-05
Incident : Vulnerability AMA0162101110725
Source: Amazon WorkSpaces Client Download Page
Incident : ransomware AMA5032150112125
Source: Trend Micro Report
Incident : ransomware AMA5032150112125
Source: Sysdig (Crystal Morin, Senior Cybersecurity Strategist)
Incident : Cryptocurrency Mining AMA1765965358
Source: Amazon GuardDuty Threat Detection
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Source: Unit 42 (Palo Alto Networks) and Wakefield Research
Date Accessed: 2025-10-17
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Source: State of Cloud Security Report 2025
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Source: DomainTools Research
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Source: AWS Spokesperson Statement
Incident : Data Exposure FORCISAMAJPM1767748297
Source: Tenable Report on Toxic Cloud Trilogies
Date Accessed: 2025-03-05
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Source: Amazon Threat Intelligence Unit
Incident : Phishing LASAMA1769009064
Source: LastPass Advisory
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Video Games Chronicle, and Source: webXray, and Source: Security firm Miggo, and Source: BleepingComputer, and Source: Help Net Security, and Source: Fog Security Research, and Source: California Office of the Attorney General, and Source: Darktrace Blog Post, and Source: Shane Barney, CISO at Keeper Security, and Source: The Straits Times (ST), and Source: DowndetectorUrl: https://downdetector.com, and Source: AWS Status PageUrl: https://status.aws.amazon.com, and Source: Keeper Security (Darren Guccione, CEO), and Source: Forrester (Brent Ellis, Principal Analyst), and Source: The Conversation, and Source: AWS Security Bulletin AWS-2025-025Date Accessed: 2025-11-05, and Source: Amazon WorkSpaces Client Download Page, and Source: Trend Micro Report, and Source: Sysdig (Crystal Morin, Senior Cybersecurity Strategist), and Source: Amazon GuardDuty Threat Detection, and Source: Unit 42 (Palo Alto Networks) and Wakefield ResearchDate Accessed: 2025-10-17, and Source: State of Cloud Security Report 2025, and Source: DomainTools Research, and Source: AWS Spokesperson Statement, and Source: Tenable Report on Toxic Cloud TrilogiesDate Accessed: 2025-03-05, and Source: Cybersecurity DiveDate Accessed: 2025-03-05, and Source: The Hacker NewsDate Accessed: 2025-09-01, and Source: Wiz Research ReportDate Accessed: 2025-09-01, and Source: AWS AdvisoryDate Accessed: 2025-09-01, and Source: Amazon Threat Intelligence Unit, and Source: LastPass Advisory, and Source: DLA Piper ReportDate Accessed: 2025.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Bug/Exploit RIN709072225
Investigation Status: Ongoing
Incident : Misconfiguration AMA505082225
Investigation Status: Resolved (fix implemented by AWS in June 2025)
Incident : DDoS Attack AMA4092640092325
Investigation Status: Ongoing (Darktrace Honeypots Active)
Incident : Service Disruption AMA0232202102125
Investigation Status: Ongoing (AWS to release detailed post-event summary; no timeline provided)
Incident : Service Disruption AMA1902119102225
Investigation Status: Resolved (underlying issue fixed, but some disruptions persisted)
Incident : Vulnerability AMA0162101110725
Investigation Status: Resolved (Patch Available)
Incident : Cryptocurrency Mining AMA1765965358
Investigation Status: Ongoing
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Investigation Status: Ongoing (research findings published)
Incident : Data Exposure FORCISAMAJPM1767748297
Investigation Status: Ongoing (based on scans conducted between October 2024 and March 2025)
Incident : Supply Chain Attack AMAWIZ1768515615
Investigation Status: Resolved
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Investigation Status: Ongoing (disruption of active operations, customer notifications)
Incident : Phishing LASAMA1769009064
Investigation Status: Ongoing
Incident : Data Breach TIKAMA1769016582
Investigation Status: Completed (fine upheld)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public demand for social engineering training, Ring Posted On Facebook And Updated Its Status Page, Aws Sent Emails To Customers (Though Coverage May Be Incomplete), Public Disclosure Via Cybersecurity News Outlets (E.G., Help Net Security), Public disclosure via California Office of the Attorney General, Public acknowledgment via AWS status website; spokeswoman provided updates to media (no detailed timeline for post-event summary), Security Bulletin, Direct Outreach Via [email protected], Public Advisory, Public advisory released by AWS and Wiz, Public disclosure by Amazon's Threat Intelligence unit, Advising users to report suspicious emails to [email protected] and clarifying legitimate communication practices.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Bug/Exploit RIN709072225
Customer Advisories: Ring users should review authorized devices from the app's Control Center > Authorized Client Devices section. If any devices or logins are not recognized, they should be removed immediately.
Incident : Misconfiguration AMA505082225
Stakeholder Advisories: AWS sent emails to customers (potentially incomplete); public disclosure via cybersecurity media.
Customer Advisories: Enable Block Public Access Settings.Review and retire ACLs in favor of IAM policies.Scan S3 buckets for unintended public exposure using tools like Fog Security’s open-source scanner.
Incident : Service Disruption AMA0232202102125
Customer Advisories: AWS acknowledged service disruptions via status page; no specific customer advisories mentioned.
Incident : Vulnerability AMA0162101110725
Stakeholder Advisories: Aws-2025-025 Security Bulletin.
Customer Advisories: Upgrade to version 2025.0 immediately; contact [email protected] for concerns
Incident : Cryptocurrency Mining AMA1765965358
Stakeholder Advisories: AWS users advised to review security configurations and conduct regular audits to detect and address unauthorized activities.
Customer Advisories: AWS customers should rotate IAM credentials, enable MFA, and monitor accounts for unusual activity.
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Stakeholder Advisories: Organizations are advised to adopt a proactive and scientific approach to AI security, focusing on securing cloud infrastructure as a priority.
Incident : Supply Chain Attack AMAWIZ1768515615
Stakeholder Advisories: AWS released an advisory detailing the misconfiguration and remediation steps.
Incident : Phishing LASAMA1769009064
Stakeholder Advisories: Organizations advised to block identified sender addresses and reinforce phishing awareness.
Customer Advisories: LastPass users advised to delete suspicious emails, report them to [email protected], and avoid responding to unsolicited urgent requests for credentials.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Ring Users Should Review Authorized Devices From The App'S Control Center > Authorized Client Devices Section. If Any Devices Or Logins Are Not Recognized, They Should Be Removed Immediately., , AWS sent emails to customers (potentially incomplete); public disclosure via cybersecurity media., Enable Block Public Access Settings., Review And Retire Acls In Favor Of Iam Policies., Scan S3 Buckets For Unintended Public Exposure Using Tools Like Fog Security’S Open-Source Scanner., , AWS acknowledged service disruptions via status page; no specific customer advisories mentioned., Aws-2025-025 Security Bulletin, Upgrade To Version 2025.0 Immediately; Contact [email protected] For Concerns, , AWS users advised to review security configurations and conduct regular audits to detect and address unauthorized activities., AWS customers should rotate IAM credentials, enable MFA, and monitor accounts for unusual activity., Organizations are advised to adopt a proactive and scientific approach to AI security, focusing on securing cloud infrastructure as a priority., AWS released an advisory detailing the misconfiguration and remediation steps., Organizations advised to block identified sender addresses and reinforce phishing awareness., LastPass users advised to delete suspicious emails, report them to [email protected] and and avoid responding to unsolicited urgent requests for credentials..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach AMA0417522
Entry Point: Email
Incident : Data Breach RIN01518622
Entry Point: Security flaw in Neighbors app
Incident : DDoS Attack AMA4092640092325
Entry Point: Exposed Docker Api On Aws Ec2,
High Value Targets: Aws Ec2 Instances With Docker,
Data Sold on Dark Web: Aws Ec2 Instances With Docker,
Incident : ransomware AMA5032150112125
Entry Point: Misconfigured S3 Buckets, Compromised Cloud Credentials,
High Value Targets: S3 Buckets With Critical/Sensitive Data,
Data Sold on Dark Web: S3 Buckets With Critical/Sensitive Data,
Incident : Cryptocurrency Mining AMA1765965358
Entry Point: Compromised IAM credentials
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
High Value Targets: AI workloads, cloud environments
Data Sold on Dark Web: AI workloads, cloud environments
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Entry Point: LinkedIn, Indeed (professional networking platforms)
Backdoors Established: More_eggs malware (JavaScript backdoor)
High Value Targets: HR professionals, recruiters
Data Sold on Dark Web: HR professionals, recruiters
Incident : Supply Chain Attack AMAWIZ1768515615
Entry Point: Predictable GitHub actor ID via bot user registration
High Value Targets: AWS-managed GitHub repositories (e.g., aws-sdk-js-v3)
Data Sold on Dark Web: AWS-managed GitHub repositories (e.g., aws-sdk-js-v3)
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Entry Point: Exposed management interfaces on misconfigured edge devices
Backdoors Established: Persistent access to victim networks
High Value Targets: Energy sector, critical infrastructure
Data Sold on Dark Web: Energy sector, critical infrastructure
Incident : Phishing LASAMA1769009064
Entry Point: Phishing email
High Value Targets: LastPass users
Data Sold on Dark Web: LastPass users
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach AMA0417522
Root Causes: Lack of social engineering awareness
Corrective Actions: Implement social engineering training
Incident : Data Breach TWI19174123
Root Causes: Error in server configuration change
Incident : Data Exposure AMA350181223
Root Causes: Misconfigured S3 Bucket,
Corrective Actions: Removed The S3 Bucket,
Incident : Privacy Violation AMA000072524
Root Causes: Lack of clear user consent and transparency in data collection.
Incident : Misconfiguration AMA000082124
Root Causes: Misconfiguration of AWS Application Load Balancer Authentication
Incident : Bug/Exploit RIN709072225
Root Causes: Backend Update Bug
Incident : Misconfiguration AMA505082225
Root Causes: Trusted Advisor’S Inability To Detect Public Bucket Status When Specific `Deny` Policies Block Its Checks (`S3:Getbucketpolicystatus`, `S3:Getbucketpublicaccessblock`, `S3:Getbucketacl`)., Overlap Between Legacy Acls And Modern Bucket Policies Creating Confusion And Misconfiguration Risks., Lack Of Redundant Validation Mechanisms To Cross-Check Bucket Exposure Status.,
Corrective Actions: Aws Updated Trusted Advisor To Bypass Or Account For `Deny` Policies That Previously Blocked Its Checks., Customer Guidance Issued To Enforce Block Public Access And Migrate From Acls To Iam Policies., Open-Source Tool Provided By Fog Security To Help Customers Audit S3 Configurations.,
Incident : DDoS Attack AMA4092640092325
Root Causes: Misconfigured Docker Daemons Exposed To The Internet., Lack Of Access Controls For Docker Apis On Cloud Instances., Default Docker Settings Not Hardened For Production Environments.,
Corrective Actions: Secure Docker Apis By Default, Restricting External Access., Enforce Least-Privilege Principles For Cloud Instance Configurations., Deploy Behavioral Detection For Containerized Environments.,
Incident : Service Disruption AMA0232202102125
Root Causes: Pending AWS's detailed summary (potential causes: hardware error, misconfiguration, human error, or unforeseen DNS subsystem failures)
Corrective Actions: Pending AWS's detailed summary (known actions: DNS resolution fixes, load balancer subsystem repairs, traffic backlog clearance)
Incident : Service Disruption AMA1902119102225
Root Causes: Malfunction At Aws Data Center In Northern Virginia (Likely A Configuration Error),
Corrective Actions: Technical Fix Applied; No Further Details Provided,
Incident : Vulnerability AMA0162101110725
Root Causes: Improper Handling Of Authentication Tokens In Dcv-Based Workspaces, Insecure Token Storage Accessible To Local Users,
Corrective Actions: Token Management Overhaul In Version 2025.0, Enhanced Access Controls For Multi-User Environments,
Incident : ransomware AMA5032150112125
Root Causes: Over-Reliance On Perimeter Defenses Without Monitoring Cloud-Native Services., Misconfigured Or Weakly Managed Encryption Keys In S3 Buckets., Lack Of Visibility Into Cloud-Specific Attack Vectors (E.G., Key Rotation Abuse).,
Corrective Actions: Enhance Logging And Monitoring For Cloud Encryption/Key Management Services., Enforce Least-Privilege Access For S3 Buckets And Associated Keys., Conduct Red-Team Exercises Simulating Cloud-Native Ransomware Scenarios.,
Incident : Cryptocurrency Mining AMA1765965358
Root Causes: Weak IAM credential security, lack of MFA, insufficient monitoring of AWS environments
Corrective Actions: Strengthen IAM policies, implement MFA, enhance monitoring with GuardDuty, conduct security audits
Incident : AI System Targeting, Cloud Infrastructure Exploitation AMAUNIGOOWAK1766721300
Root Causes: Weaknesses In Cloud Security Frameworks, Insufficient Encryption And Identity Management, Lack Of Proactive Security Measures For Ai Systems, Over-Reliance On Reactive Security Approaches,
Corrective Actions: Strengthen Cloud Security Policies, Implement Encryption And Identity Management Best Practices, Adopt Proactive Security Measures For Ai Workloads, Enhance Network Segmentation And Monitoring,
Incident : Phishing/Social Engineering, Malware Delivery LINAWS1766995316
Root Causes: Exploitation Of Trust In Professional Networking Platforms (Linkedin/Indeed)., Abuse Of Trusted Cloud Infrastructure (Aws Ec2/S3) To Host Malicious Content., Sophisticated Traffic Filtering To Evade Detection (Ip Reputation, Geolocation, Os Fingerprinting)., Use Of Captcha To Bypass Automated Security Scanners., Lack Of Verification Procedures For External Communications In Hr Workflows.,
Corrective Actions: Implement Stricter Verification For External Communications (E.G., Resume Submissions)., Enhance Monitoring For Cloud-Hosted Phishing Sites Using Trusted Ip Ranges., Train Hr Personnel On Social Engineering Risks And Phishing Tactics., Adopt Layered Security Defenses (E.G., Behavioral Waf, Network Segmentation)., Collaborate With Cloud Providers To Report And Disable Abusive Content.,
Incident : Data Exposure FORCISAMAJPM1767748297
Root Causes: Misconfigured Cloud Storage Buckets, Public Exposure Of Sensitive Data, Lack Of Identity-Checking Services In Some Cases, Overconfidence In Cloud Provider Security Measures,
Corrective Actions: Enable Identity-Checking Services, Regularly Audit Cloud Configurations, Remove Sensitive Data From User Data/Environment Variables, Implement Enhanced Monitoring,
Incident : Supply Chain Attack AMAWIZ1768515615
Root Causes: Insufficient regex anchoring in AWS CodeBuild webhook filters, allowing unauthorized actor IDs to trigger builds and access privileged credentials.
Corrective Actions: Anchored regex patterns, rotated credentials, implemented additional build process security measures.
Incident : Cyber Espionage, Lateral Movement, Credential Harvesting AMA1768595116
Root Causes: Customer misconfigurations in network edge devices, lack of proper security controls for exposed management interfaces
Corrective Actions: Disruption of threat operations, customer notifications, collaboration with security community to counter state-sponsored threats
Incident : Phishing LASAMA1769009064
Root Causes: Exploitation of user trust via social engineering, use of compromised AWS S3 buckets and spoofed domains, timing attack during holiday weekend to evade detection.
Corrective Actions: Dismantling phishing infrastructure, blocking malicious sender addresses, reinforcing user education on phishing risks.
Incident : Data Breach TIKAMA1769016582
Root Causes: Inadequate safeguards for data transfers to China, lack of transparency in data storage practices
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Fog Security (Researchers Who Discovered The Issue), , Darktrace (Detection And Analysis), , Darktrace Honeypots For Detection, , Cloud-Native Security Tools For Encryption/Key Management Anomalies, , Amazon GuardDuty for threat detection, Unit 42 (Palo Alto Networks), Recommended for AI workloads and cloud environments, Recommended (vigilance for unusual traffic patterns or file types), Enabled identity-checking service (80%+ of AWS users), Wiz (cloud security company), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Implement social engineering training, Removed The S3 Bucket, , Aws Updated Trusted Advisor To Bypass Or Account For `Deny` Policies That Previously Blocked Its Checks., Customer Guidance Issued To Enforce Block Public Access And Migrate From Acls To Iam Policies., Open-Source Tool Provided By Fog Security To Help Customers Audit S3 Configurations., , Secure Docker Apis By Default, Restricting External Access., Enforce Least-Privilege Principles For Cloud Instance Configurations., Deploy Behavioral Detection For Containerized Environments., , Pending AWS's detailed summary (known actions: DNS resolution fixes, load balancer subsystem repairs, traffic backlog clearance), Technical Fix Applied; No Further Details Provided, , Token Management Overhaul In Version 2025.0, Enhanced Access Controls For Multi-User Environments, , Enhance Logging And Monitoring For Cloud Encryption/Key Management Services., Enforce Least-Privilege Access For S3 Buckets And Associated Keys., Conduct Red-Team Exercises Simulating Cloud-Native Ransomware Scenarios., , Strengthen IAM policies, implement MFA, enhance monitoring with GuardDuty, conduct security audits, Strengthen Cloud Security Policies, Implement Encryption And Identity Management Best Practices, Adopt Proactive Security Measures For Ai Workloads, Enhance Network Segmentation And Monitoring, , Implement Stricter Verification For External Communications (E.G., Resume Submissions)., Enhance Monitoring For Cloud-Hosted Phishing Sites Using Trusted Ip Ranges., Train Hr Personnel On Social Engineering Risks And Phishing Tactics., Adopt Layered Security Defenses (E.G., Behavioral Waf, Network Segmentation)., Collaborate With Cloud Providers To Report And Disable Abusive Content., , Enable Identity-Checking Services, Regularly Audit Cloud Configurations, Remove Sensitive Data From User Data/Environment Variables, Implement Enhanced Monitoring, , Anchored regex patterns, rotated credentials, implemented additional build process security measures., Disruption of threat operations, customer notifications, collaboration with security community to counter state-sponsored threats, Dismantling phishing infrastructure, blocking malicious sender addresses, reinforcing user education on phishing risks..
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Unknown, Hackers, Ring Employees, Employees, Anonymous Hacker, Unknown, Thieves, Malicious Insiders (e.g., disgruntled employees)External Attackers with Compromised CredentialsAccidental Misconfiguration by Legitimate Users, ShadowV2, FIN6 (Skeleton Spider), Sandworm (GRU-linked and Russian state-sponsored).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2023-05-28.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2025-06.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Credit Card Details, Address, Other Personal Information, , Home addresses, Latitude and longitude, User account passwords, , Video Data, Email Addresses, Phone Numbers, , Source code, Clients information, Unreleased games, , Login Emails, Passwords, Time Zones, Camera Names, Home Address, Phone Number, Payment Information, , Payment Card Information, , ID scans, Personal Information, , User data and browsing habits, Potential exposure of sensitive data in publicly accessible S3 buckets (scope depends on bucket contents), Payment card information, , Authentication Tokens, Potential WorkSpace Session Access, , Sensitive data, AI training datasets, personally identifiable information, Credentials, sensitive employee data, system access, Sensitive data, including confidential and restricted information, GitHub admin tokens, repository secrets, privileged credentials, Credentials, network access, Master passwords, Vault backups and European users’ data stored on Chinese servers.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident were Ring Cameras and Payment Card Systems and Amazon S3 Bucket and and AWS S3 BucketsTrusted Advisor Security Checks and AWS EC2 Instances with Exposed Docker APIsVictim Containers and DNS infrastructureNetwork load balancersMultiple AWS services in US-East-1 and Cloud servicesBanking platformsFinancial software (e.g., Xero)Social media (e.g., Snapchat) and Amazon WorkSpaces client for Linux (versions 2023.0–2024.8) and AWS S3 buckets and and and and AWS S3 BucketsGCP Cloud StorageAWS Elastic Container ServiceGoogle CloudRunAWS EC2 User Data and and .
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was fog security (researchers who discovered the issue), , darktrace (detection and analysis), , Unit 42 (Palo Alto Networks), Wiz (cloud security company), .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Removed the S3 bucket, AWS implemented fixes to Trusted Advisor in June 2025 to correctly detect misconfigured bucketsEmails sent to customers notifying them of the issue and fixes, Resolved DNS resolution issuesAddressed impairments in internal subsystem for network load balancer health monitoring, Technical fix applied to data center malfunction, Urgent Security Bulletin (AWS-2025-025)End-of-Support Notification for Affected Versions, Immediate rotation of IAM credentials, monitoring for unusual activity, AWS Trust & Safety abuse reporting process, disabling prohibited content, Remediation of misconfigured webhook filters, credential rotations, Disruption of active threat operations, customer notifications, Working to dismantle phishing infrastructure and urging users to delete suspicious emails.
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Payment card information, Camera Names, Phone Number, GitHub admin tokens, repository secrets, privileged credentials, Clients information, Payment Card Information, Time Zones, Sensitive data, AI training datasets, personally identifiable information, European users’ data stored on Chinese servers, Video Data, Latitude and longitude, Other Personal Information, ID scans, Unreleased games, Master passwords, Vault backups, Passwords, Payment Information, Credit Card Details, Address, Email Addresses, User account passwords, Potential WorkSpace Session Access, Home Address, Credentials, sensitive employee data, system access, User data and browsing habits, Home addresses, Login Emails, Authentication Tokens, Source code, Sensitive data, including confidential and restricted information, Personal Information, Potential exposure of sensitive data in publicly accessible S3 buckets (scope depends on bucket contents), Phone Numbers, Credentials and network access.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 119.5K.
Regulatory Compliance
What was the highest fine imposed for a regulatory violation ?
Highest Fine Imposed: The highest fine imposed for a regulatory violation was €530 million.
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Fine upheld by Irish Data Protection Commission.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Organizations must monitor cloud-native security controls beyond traditional perimeter protections., Critical need for strong IAM protocols, regular security audits, and automated threat detection systems like GuardDuty to mitigate cloud-based threats., AI security is fundamentally a cloud infrastructure problem. Reactive approaches are insufficient; organizations must adopt proactive, systematic, and scientific methods to secure AI systems. Cloud security must be treated as a foundational element of AI security., Traditional perimeter security is insufficient against social engineering tactics. Organizations must adopt holistic security strategies that account for human factors alongside technological defenses. HR personnel are increasingly targeted due to their regular interaction with external contacts., Organizations must prioritize secure cloud configurations, regularly audit cloud storage settings, and avoid storing sensitive data in publicly accessible or misconfigured buckets. AWS, GCP, and Azure users should enable identity-checking services and monitor for exposed secrets., CI/CD pipeline security is critical, especially for untrusted contributions. Misconfigurations in webhook filters can lead to high-impact breaches. Anchoring regex patterns and limiting PAT permissions are essential mitigations., Shift in Sandworm tactics from zero-day exploits to low-effort targeting of misconfigured devices; importance of securing edge devices and cloud-hosted network infrastructure., Phishing campaigns often exploit reduced security staffing during holidays. Urgent language and credential requests in emails should be treated with heightened suspicion. Password manager users are high-value targets for credential harvesting., Need for stricter safeguards in international data transfers, especially to non-U.S. countries.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Strengthen collaboration between cloud providers and regulators to improve resilience standards., Mitigate risks by diversifying cloud providers or adopting multi-cloud strategies., Implement least-privilege principles for local user permissions., Use CodeBuild-hosted runners to manage build triggers via GitHub workflows, Use behavioral detection tools (e.g., Darktrace) to identify anomalous container activity., Change account password, Replace legacy ACLs with IAM policies for finer-grained access control., Regularly audit S3 bucket configurations using AWS tools and third-party scanners (e.g., Fog Security’s open-source tool)., Report abuse of cloud services (e.g., AWS) to platform providers for takedown., Implement comprehensive training programs for HR personnel on phishing and social engineering risks., Implement robust data protection measures for cross-border data flows, ensure transparency in data storage practices, and comply with GDPR requirements for international transfers., Disable external access to Docker daemons unless absolutely necessary., Implement network segmentation and enhanced monitoring, Monitor shared/multi-user Linux environments for unauthorized WorkSpace access., Conduct regular security audits and reviews of AWS environments, Limit PAT permissions to the minimum required, Implement redundancy and failover mechanisms for core services like DNS and load balancers., Secure management interfaces on edge devices, enforce proper configurations, monitor for persistent connections from actor-controlled IPs, collaborate with cloud providers for threat intelligence., Adopt zero-trust principles for cloud storage services., Use a dedicated unprivileged GitHub account for CodeBuild integration, Regularly audit authentication token handling in virtual desktop solutions., Enhance transparency in post-incident disclosures (e.g., timely root cause analysis)., Implement stricter data privacy policies and ensure compliance with relevant regulations., Regularly audit cloud configurations (e.g., AWS EC2) for exposed services., Implement network segmentation to limit lateral movement from compromised containers., Enable Pull Request Comment Approval build gate for untrusted contributions, Enhance monitoring for unusual traffic patterns or file types (e.g., ZIP files from unexpected sources)., Adopt secure development practices to prevent misconfigurations, Implement redundancy and backup systems to minimize downtime impact., Implement strong cloud security policies and encryption standards., Avoid storing sensitive data in user data or environment variables, Conduct regular audits of cloud storage configurations, Collaborate with cloud service providers, AI developers, and security professionals to develop robust security frameworks., Enable identity-checking services (e.g., AWS IAM), Implement social engineering training programs, Monitor for unusual key rotation or encryption activities in cloud environments., Generate a unique PAT for each CodeBuild project, Monitor AWS accounts for unusual activity or configurations, AWS should improve the clarity and reach of security advisories to ensure all affected customers are notified., Monitor for unauthorized use of Docker SDK or container deployment tools., Isolate AI workloads from potential vulnerabilities in the cloud., Regularly audit S3 bucket configurations for misconfigurations., Enable AWS Block Public Access Settings at both account and bucket levels., Enable two-factor authentication, Negotiate contracts to reduce vendor lock-in and data egress costs., Implement strict access controls and encryption key management policies for S3 buckets., Conduct regular security audits of cloud environments hosting AI workloads., Modernize DNS and critical infrastructure to meet cloud-era demands., Adopt advanced AI-specific security tools and protocols for real-time threat detection., Adopt additional verification procedures for resume submissions and external communications., Use layered defenses (e.g., behavioral WAF, network segmentation) to detect and block malicious activity., Bolster email security controls to block messages from identified sender addresses. Reinforce phishing awareness training, particularly regarding urgent language and unsolicited credential requests. Encourage users to report suspicious emails to designated abuse contacts., Immediately upgrade to Amazon WorkSpaces client for Linux version 2025.0 or later., Maintain vigilance for cloud-hosted phishing sites using trusted IP ranges., Enable multifactor authentication (MFA) for all AWS accounts, Assess geopolitical/regulatory risks when selecting cloud providers., Review authorized devices, Monitor for unusual access patterns or policy changes in S3 buckets., Diversify cloud dependencies to reduce single points of failure., Engage with AWS support or security teams for incident response guidance, Ensure regex patterns in webhook filters are anchored (use ^ and $), Enhance network segmentation and monitoring for AI systems. and Rotate IAM credentials immediately to prevent unauthorized access.
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are The Straits Times (ST), AWS Spokesperson Statement, Trend Micro Report, Amazon GuardDuty Threat Detection, Cybersecurity Dive, Help Net Security, DomainTools Research, Forrester (Brent Ellis, Principal Analyst), Unit 42 (Palo Alto Networks) and Wakefield Research, BleepingComputer, AWS Security Bulletin AWS-2025-025, Downdetector, Amazon Threat Intelligence Unit, California Office of the Attorney General, Shane Barney, CISO at Keeper Security, AWS Advisory, Security firm Miggo, Sysdig (Crystal Morin, Senior Cybersecurity Strategist), webXray, Fog Security Research, Amazon WorkSpaces Client Download Page, The Conversation, The Hacker News, DLA Piper Report, Tenable Report on Toxic Cloud Trilogies, LastPass Advisory, Darktrace Blog Post, AWS Status Page, State of Cloud Security Report 2025, Keeper Security (Darren Guccione, CEO), Wiz Research Report and Video Games Chronicle.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://downdetector.com, https://status.aws.amazon.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was AWS sent emails to customers (potentially incomplete); public disclosure via cybersecurity media., AWS-2025-025 Security Bulletin, AWS users advised to review security configurations and conduct regular audits to detect and address unauthorized activities., Organizations are advised to adopt a proactive and scientific approach to AI security, focusing on securing cloud infrastructure as a priority., AWS released an advisory detailing the misconfiguration and remediation steps., Organizations advised to block identified sender addresses and reinforce phishing awareness., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Ring users should review authorized devices from the app's Control Center > Authorized Client Devices section. If any devices or logins are not recognized, they should be removed immediately., Enable Block Public Access Settings.Review and retire ACLs in favor of IAM policies.Scan S3 buckets for unintended public exposure using tools like Fog Security’s open-source scanner., AWS acknowledged service disruptions via status page; no specific customer advisories mentioned., Upgrade to version 2025.0 immediately; contact [email protected] for concerns, AWS customers should rotate IAM credentials, enable MFA, and monitor accounts for unusual activity., LastPass users advised to delete suspicious emails, report them to [email protected] and and avoid responding to unsolicited urgent requests for credentials.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an Exposed management interfaces on misconfigured edge devices, LinkedIn, Indeed (professional networking platforms), Security flaw in Neighbors app, Predictable GitHub actor ID via bot user registration, Email, Compromised IAM credentials and Phishing email.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Lack of social engineering awareness, Error in server configuration change, Misconfigured S3 Bucket, Lack of clear user consent and transparency in data collection., Misconfiguration of AWS Application Load Balancer Authentication, Backend Update Bug, Trusted Advisor’s inability to detect public bucket status when specific `Deny` policies block its checks (`s3:GetBucketPolicyStatus`, `s3:GetBucketPublicAccessBlock`, `s3:GetBucketAcl`).Overlap between legacy ACLs and modern bucket policies creating confusion and misconfiguration risks.Lack of redundant validation mechanisms to cross-check bucket exposure status., Misconfigured Docker daemons exposed to the internet.Lack of access controls for Docker APIs on cloud instances.Default Docker settings not hardened for production environments., Pending AWS's detailed summary (potential causes: hardware error, misconfiguration, human error, or unforeseen DNS subsystem failures), Malfunction at AWS data center in Northern Virginia (likely a configuration error), Improper handling of authentication tokens in DCV-based WorkSpacesInsecure token storage accessible to local users, Over-reliance on perimeter defenses without monitoring cloud-native services.Misconfigured or weakly managed encryption keys in S3 buckets.Lack of visibility into cloud-specific attack vectors (e.g., key rotation abuse)., Weak IAM credential security, lack of MFA, insufficient monitoring of AWS environments, Weaknesses in cloud security frameworksInsufficient encryption and identity managementLack of proactive security measures for AI systemsOver-reliance on reactive security approaches, Exploitation of trust in professional networking platforms (LinkedIn/Indeed).Abuse of trusted cloud infrastructure (AWS EC2/S3) to host malicious content.Sophisticated traffic filtering to evade detection (IP reputation, geolocation, OS fingerprinting).Use of CAPTCHA to bypass automated security scanners.Lack of verification procedures for external communications in HR workflows., Misconfigured cloud storage bucketsPublic exposure of sensitive dataLack of identity-checking services in some casesOverconfidence in cloud provider security measures, Insufficient regex anchoring in AWS CodeBuild webhook filters, allowing unauthorized actor IDs to trigger builds and access privileged credentials., Customer misconfigurations in network edge devices, lack of proper security controls for exposed management interfaces, Exploitation of user trust via social engineering, use of compromised AWS S3 buckets and spoofed domains, timing attack during holiday weekend to evade detection., Inadequate safeguards for data transfers to China, lack of transparency in data storage practices.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Implement social engineering training, Removed the S3 bucket, AWS updated Trusted Advisor to bypass or account for `Deny` policies that previously blocked its checks.Customer guidance issued to enforce Block Public Access and migrate from ACLs to IAM policies.Open-source tool provided by Fog Security to help customers audit S3 configurations., Secure Docker APIs by default, restricting external access.Enforce least-privilege principles for cloud instance configurations.Deploy behavioral detection for containerized environments., Pending AWS's detailed summary (known actions: DNS resolution fixes, load balancer subsystem repairs, traffic backlog clearance), Technical fix applied; no further details provided, Token management overhaul in version 2025.0Enhanced access controls for multi-user environments, Enhance logging and monitoring for cloud encryption/key management services.Enforce least-privilege access for S3 buckets and associated keys.Conduct red-team exercises simulating cloud-native ransomware scenarios., Strengthen IAM policies, implement MFA, enhance monitoring with GuardDuty, conduct security audits, Strengthen cloud security policiesImplement encryption and identity management best practicesAdopt proactive security measures for AI workloadsEnhance network segmentation and monitoring, Implement stricter verification for external communications (e.g., resume submissions).Enhance monitoring for cloud-hosted phishing sites using trusted IP ranges.Train HR personnel on social engineering risks and phishing tactics.Adopt layered security defenses (e.g., behavioral WAF, network segmentation).Collaborate with cloud providers to report and disable abusive content., Enable identity-checking servicesRegularly audit cloud configurationsRemove sensitive data from user data/environment variablesImplement enhanced monitoring, Anchored regex patterns, rotated credentials, implemented additional build process security measures., Disruption of threat operations, customer notifications, collaboration with security community to counter state-sponsored threats, Dismantling phishing infrastructure, blocking malicious sender addresses, reinforcing user education on phishing risks..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Description
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results.
Description
A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise.
Description
A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above.
Risk Information
cvss3
Base: 6.0
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
cvss4
Base: 6.0
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
Description
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions.
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=amazon-business' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
