OPSEC-TWILIO-2022

Disclosed January 19, 2024, the Russian SVR-linked actor Midnight Blizzard breached Microsoft's corporate tenant by password-spraying a legacy, non-production test account that had a weak password and no MFA, using residential proxies to evade detection. The actor then abused a malicious OAuth application, leveraging the test account's permissions to grant itself Exchange Online full_access_as_app rights and read corporate mailboxes. A small percentage of corporate email accounts were accessed, including senior leadership and staff in cybersecurity and legal functions, with some emails and attachments exfiltrated. A later update noted attempts to use exfiltrated secrets and source-code repository access.

LastPass suffered two linked breaches in 2022. In August, an attacker compromised a developer account and stole source code and technical documentation. Using that information, the attacker targeted a senior DevOps engineer, one of only four people with access to production backup decryption keys, by exploiting an unpatched vulnerability in Plex media software on the engineer's home computer to install a keylogger and capture the master password after MFA. Between August 12 and October 26, 2022, the attacker exfiltrated cloud backups including encrypted customer vaults (with unencrypted URLs), AWS S3 production backups, DevOps secrets, and MFA seed databases, putting customers with weak master passwords at offline brute-force risk.

Beginning around October 9, 2024, the Internet Archive suffered overlapping attacks rooted in unrotated, exposed authentication tokens. A plaintext GitLab token left in a publicly accessible config file on a dev server (exposed since at least December 2022 and never rotated) let an attacker download source code containing further embedded database credentials, enabling exfiltration of a user database of around 31 million users with emails and bcrypt-hashed passwords. A JavaScript defacement and DDoS attacks accompanied it. On October 20, 2024, an unrotated Zendesk API token, also exposed via the same token mismanagement, was used to access more than 800,000 support tickets, some containing personal ID documents.

Between roughly April and June 2024, the threat group UNC5537 conducted mass data theft from about 165 Snowflake customer tenants. The attackers did not exploit any flaw in Snowflake itself; they logged in with valid usernames and passwords harvested by infostealer malware from employee and contractor machines and sold on criminal markets, some credentials years old. The targeted accounts had no MFA enabled and no network allow-listing, so stolen single-factor credentials granted direct access. Victims included Ticketmaster/Live Nation (about 560 million customers), Santander (about 30 million customers), and AT&T (call and text metadata for roughly 110 million customers, with AT&T reportedly paying about $370,000).

Publicly disclosed January 30, 2024, a Mercedes-Benz employee accidentally committed a GitHub authentication token to a public repository, leaving it exposed from September 29, 2023. RedHunt Labs found the token during an internet-wide scan; it granted unrestricted, unmonitored access to Mercedes-Benz's internal GitHub Enterprise Server, allowing anyone to download private source-code repositories that could contain API keys, cloud access keys, database connection strings, blueprints, and SSO passwords. After notification, the token was revoked on January 24, 2024. Mercedes-Benz stated customer data was not affected but could not confirm whether anyone besides the researchers accessed the repositories during the exposure window.

Between September 28 and October 17, 2023, an attacker used stolen credentials to access Okta's customer support case-management system. The credentials belonged to a service account that an employee had saved into their personal Google account after signing into a personal Chrome profile on an Okta-managed laptop. The attacker downloaded customer-uploaded HTTP Archive (HAR) files, some of which contained valid session tokens usable for session hijacking. The breach affected 134 customers, with confirmed session hijacking at five, including BeyondTrust, Cloudflare, and 1Password. Okta disabled the service account and blocked personal Google sign-ins on managed devices.