Incident Details
In July 2016, SaaS provider DataDog experienced a breach that affected its AWS customers due to an attacker gaining unauthorized access through compromised AWS access and SSH keys.
Incident
How Did the Breach Happen?
The breach occurred when the attacker exploited a leaked AWS access key and an SSH private key. These keys were part of DataDog's automated provisioning and release systems, allowing the attacker to access their AWS EC2 instances and a subset of S3 buckets.
What Data has been Compromised?
The compromised data included user credentials for DataDog services, service metadata, and credentials for third-party integrations.
Why Did the company's Security Measures Fail?
The security measures failed due to the compromise of critical access keys, which should not have been exposed. The exact reason for the failure in protecting these keys has not been disclosed.
What Immediate Impact Did the Breach Have on the company?
DataDog responded by quarantining the affected instances and issuing a security notice to their users. They requested users to reset passwords and for administrators to rotate or revoke credentials stored in DataDog systems.
How could this have been prevented?
The breach could have been prevented by avoiding the use of long-term AWS access keys, implementing better protection of access keys, employing more stringent key management policies, and possibly through the use of multi-factor authentication for sensitive operations.
What have we learned from this data breach?
From this breach, it is clear that securing access keys is critical for cloud infrastructure and services. Proper management of privileges and access control, along with regular audits of credentials, is necessary to prevent similar cybersecurity incidents.
Summary of Coverage
DataDog, a SaaS provider for cloud-scale monitoring, faced a breach in July 2016 when an attacker accessed their production servers using compromised AWS and SSH keys. This led to unauthorized accessibility to some of their AWS resources, including user credentials. The company acted promptly by notifying users, requesting credential resets, and reviewing security measures. The breach highlighted the importance of proper access control and credential management.