Data breaches from leaked secrets

In late 2024, a Chinese state-sponsored hacking group (APT) carried out a supply-chain attack by exploiting a stolen API key from BeyondTrust’s Remote Support service. BeyondTrust is a vendor that provides remote tech support tools to organizations, including the U.S. Treasury Department. On December 8, 2024, BeyondTrust notified the Treasury that attackers had obtained an API key used to secure its cloud-based remote support portal for Treasury Department employees. With this key, the threat actor was able to bypass security controls in the support service, effectively gaining remote access to certain Treasury user workstations and the data on them.

Treasury Department employees affected

Unclassified documents maintained by Treasury Departmental Offices users. Sensitive law enforcement information. Materials related to investigations conducted by the Committee on Foreign Investment in the U.S.

For the U.S. Treasury, the incident was a serious security breach: attackers remotely accessed employee computers, which could undermine trust in IT support channels and potentially expose sensitive information.

Slack, the workplace messaging platform, experienced a security incident over the 2022 holiday period when a limited number of employee tokens were stolen and misused to access the company’s externally hosted GitHub code repositories. On December 27, 2022, a threat actor used these leaked credentials to download some private Slack source code. Fortunately, no customer data or Slack’s primary codebase was accessed, and the breach did not stem from a vulnerability in Slack itself. Slack quickly invalidated the compromised tokens and rotated other secrets as a precaution.

NA

Private Slack source code.

No direct impact on customers or end-user data.

Dropbox disclosed that its electronic signature subsidiary, Dropbox Sign (formerly HelloSign), was breached in April 2024. Attackers compromised a service account in the Dropbox Sign production environment, which is a non-human account used for automated backend tasks. Using this account’s credentials, the intruders gained admin-level access to Dropbox Sign’s production systems, including its customer database. As a result, they were able to access a variety of user data and secrets. Specifically, the attackers retrieved Dropbox Sign customer account information, including authentication data such as API keys, OAuth access tokens, and MFA setup info.

All Dropbox Sign (formerly HelloSign) customers

Customer information like email addresses, usernames, phone numbers (in some cases), hashed passwords, and important authentication details like API keys and OAuth tokens were accessed.

Users were required to take multiple security actions. Dropbox invalidated all exposed passwords and session tokens, forcing password resets for affected accounts. They also restricted the functionality of exposed API keys and OAuth tokens until customers could rotate them.

Identity provider Okta revealed that a threat actor gained unauthorized access to its customer support case management system by exploiting leaked credentials for a support service account. An Okta employee had inadvertently saved the support account’s username and password in their personal Google Chrome profile, which was likely compromised, exposing the credentials. Between late September and October 17, 2023, the attacker used these credentials to access files from support tickets of 134 Okta customers. Some of these files included HTTP Archive (HAR) logs containing session cookies/session tokens.

134 customers

The hacker used stolen session tokens to hijack five customers’ active Okta sessions, impersonating those users in their own Okta orgs.

For the five affected customer organizations, the attacker’s use of session tokens could have led to unauthorized access to those organizations’ Okta tenant data. Okta worked with those customers to revoke compromised sessions and cookies. Beyond those cases, other customers whose support files were accessed were advised to review what was in those uploads (e.g., scrub HAR logs) and to monitor for any misuse.

Researchers from Wiz discovered that Microsoft’s AI research team had accidentally exposed an overly-permissive Azure Shared Access Signature (SAS) token in a GitHub repository. This single leaked storage access key granted full control over an entire Azure Storage account, exposing 38 TB of private data that Microsoft did not intend to share. The trove included a disk backup of two employees’ workstations containing sensitive secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees. The leak was an internal exposure (not a result of an outside attack) caused by a misconfigured token that allowed access beyond the specific AI training data it was meant to share. Microsoft was alerted to the issue on June 22, 2023, and promptly revoked the SAS token to secure the data.

Limited / Internal exposure

38 TB of private data that Microsoft did not intend to share.

NA

CircleCI, a popular CI/CD platform, suffered a major breach caused by an infostealer malware on an engineer’s laptop. The malware stole a 2FA-backed SSO session cookie, allowing the attacker to impersonate the employee and access CircleCI’s internal production systems. Using this access, the hacker generated new tokens and exfiltrated sensitive data from some of CircleCI’s databases, including customers’ environment variables, API keys, and tokens. Although the stolen data was encrypted at rest, the attacker even grabbed encryption keys from memory to decrypt the stolen secrets. CircleCI disclosed the incident on January 4, 2023, urging all customers to rotate any secrets stored in the platform.

Undisclosed / Potentially All

Customers’ security was at risk because the stolen API keys and tokens could be used to access those customers’ systems.

CircleCI required users to rotate all secrets (SSH keys, API tokens, OAuth tokens, etc.) that were in CircleCI. "Fewer than 5” customers reported unauthorized access to their systems as a result of the stolen tokens.