| Uber | 2014, May | Github Gist (data analysis script) with AWS credentials | N/A | 50,000 records, including names and driver’s licenses from S3 hosted database prunes | Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan |
| Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | Hacker puts code spaces out of business |
| BrowserStack | 2014, November | Shellshock on exposed, outdated prototype machine | Access keys on server, used to create IAM user, create EC2, and mount backup | Steal user data and email users | BrowserStack analysis |
| DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION |
| DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | 2016-07-08 Security Notice |
| Uber | 2016, October | ~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup | Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan |
| Lynda.com | 2016, December | Private Github Repo with AWS credentials | N/A | User data for 9.5m users, attempted extortion | 2 Plead Guilty in 2016 Uber and Lynda.com Hacks |
| OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | May 31, 2017 Security Incident |
| Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | Hackers have turned Politifact’s website into a trap for your PC |
| DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | DXC spills AWS private keys on public GitHub |
| Drizly | 2018 | AWS Credentials committed to public github repo | N/A | Cryptojacking | FEDERAL TRADE COMMISSION - Drizly Complaint |
| LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | Coinhive cryptojacking added to homicide.latimes.com |
| Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency |
| Chegg | 2018, April | Former contractor abuses broadly shared root credential | Unknown | 40 million users' data (from S3 bucket) | FTC Complaint |
| imToken | 2018, June | Email account compromise | Reset AWS account password | Minimal customer device data | Disclosure of Security Incidents on imToken |
| Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | Sacked IT guy annihilates 23 of his ex-employer’s AWS servers |
| Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | A Technical Analysis of the Capital One Cloud Misconfiguration Breach |
| JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters |
| Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | Malindo Air: Data Breach Was Inside Job |
| Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | Imperva Security Update |
| Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | Celeb Shout-Out App Cameo Exposes Private Videos and User Data |
| Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | Exchange rate service’s customer details hacked via AWS |
| First Republic Bank | 2020, March | Fired employee incompletely offboarded | N/A | System interruption | First Republic Bank |
| Live Auctioneers | 2020, July | Compromised third party software granting access to cloud environment | N/A | User database, including MD5 hashed credentials | Washington State OAG - Live Auctioneers |
| Twilio | 2020, July | S3 global write access | N/A | Magecart2 | Incident Report: TaskRouter JS SDK Security Incident |
| Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | GotRoot! AWS root Account Takeover |
| Drizly | 2020, July | Inactive Github account compromised via reused password, granting AWS credential access in source code | N/A | RDS Instance with 2.5 million users data exfiltrated | FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers |
| Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | Cryptominer Found Embedded in AWS Community AMI |
| Animal Jam | 2020, November | Slack compromise exposes AWS credentials | N/A | User database | Kids' gaming website Animal Jam breached |
| Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | Former Cisco engineer sentenced to prison |
| Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | Data from August Breach of Amazon Partner Juspay Dumped Online |
| 20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets |
| Sendtech | 2021, February | (Current or former employee) Compromised credentials | Created additional admin account | Accessed customer data in S3 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884 |
| LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | Risk startup LogicGate confirms data breach |
| Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | Ubiquiti All But Confirms Breach Response Iniquity |
| Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | Clear and Uncommon Story About Overcoming Issues With AWS |
| redoorz.com | 2021, September | Access Key leaked via APK | N/A | Customer database stolen | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 |
| HPE Aruba | 2021, October | Unknown exposure of Access Key | N/A | Potential access to network telemetry and contact trace data | Aruba Central Security Incident |
| Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | Kaspersky's stolen Amazon SES token used in Office 365 phishing |
| Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | The attack on ONUS – A real-life case of the Log4Shell vulnerability |
| Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | Booking management platform FlexBooker leaks 3.7 million user records |
| npm | 2022, April | Third party OAuth token compromise granting private repository access, containing AWS keys | Unknown | 100k users data (from 2015) | npm security update: Attack campaign using stolen OAuth tokens |
| Uber | 2022, September | Contractor account compromise leading to AWS credential discovery on a shared drive | Unknown | N/A | Uber - Security update |
| Lastpass | 2022, October | Stole source code and accessed development environment via compromised developer account (an IAM User) | Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data | Internal and customer data broadly compromised, including backups of MFA database | Notice of Recent Security Incident,Incident 2 – Additional details of the attack |
| Teqtivity (Uber Vendor) | 2022, December | Unknown | Unknown | "AWS backup server" with device and user information | Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online |
| CommuteAir | 2023, January | Publicly Exposed Jenkins with hardcoded credentials | N/A | 2019 FAA No Fly List | how to completely own an airline in 3 easy steps, U.S. airline accidentally exposes ‘No Fly List’ on unsecured server |