10 real-life cloud security failures and what we can learn from them

As organisations increasingly migrate to the cloud, securing sensitive data has never been more critical. While cloud computing offers flexibility and scalability, it also opens the door to a range of security risks. 

From simple misconfigurations to complex insider threats, cloud security breaches have cost companies huge sums of money and compromised millions of users’ private information. In this article, we explore 10 high-profile cloud security failures, each one providing a vital lesson in the importance of robust security practices. These real-life incidents serve as cautionary tales for businesses relying on cloud services, offering key takeaways to help prevent the next major breach. 

Here’s what went wrong, what could have been done differently and how companies can fortify their defences against the ever-evolving landscape of cloud security threats.

1. Dropbox (2012)

Incident: A hacker obtained Dropbox user credentials through a third-party breach and accessed users’ cloud-stored files, exposing millions of accounts.

Response: A Dropbox investigation determined that usernames and passwords stolen from other websites were used to sign in to “a small number” of Dropbox accounts. The company contacted those users, offering to help them protect their accounts. 

Aditya Agarwal, then VP of engineering at Dropbox, said: “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam.” He added that Dropbox was putting additional controls in place to help make sure there was no repeat of the issue. 

The cloud storage firm opted to introduce two-factor authentication (2FA) and enhanced security monitoring to prevent future breaches. Later, in 2016, it was revealed that the breach had affected more than 68 million user accounts. Dropbox prompted users who hadn’t changed their passwords since 2012 to do so as a precautionary measure.

Lesson: The importance of strong, multi-factor authentication (MFA) and monitoring for unusual login activity.

2. Snapchat (2014)

Incident: Snapchat’s cloud-based infrastructure was compromised due to vulnerabilities in the way it handled user data. Hackers exploited cloud systems and leaked millions of photos.

Response: In this data leak, often referred to as “The Snappening, Snapchat itself was not directly hacked. Instead, third-party apps that stored Snapchat photos were compromised. A spokesperson for the company said: “Snapchatters were victimised by their use of third-party apps to send and receive Snaps. 

We expressly prohibit third-party apps that access our service, as they compromise users’ security.” Snapchat warned users against third-party apps and improved its security policies to help prevent unauthorised access.

Lesson: Proper security measures for user data and image handling in cloud storage can prevent mass data leaks.

3. Uber (2016)

Incident: Hackers accessed Uber’s cloud-based storage and obtained personal data of 57 million users and drivers. Uber initially failed to report the breach.

Response: Uber executives eventually commented on the breach in 2017, but only after it had been made public. The transportation firm confirmed that 57 million accounts were compromised, including names, email addresses and phone numbers of users and drivers. Instead of reporting the breach at the time, Uber paid the hackers $100,000 under the guise of a bug bounty to delete the data and remain silent. 

In November 2017, Dara Khosrowshahi, who became Uber’s CEO after the breach, admitted Uber’s failure to disclose the incident sooner. He said: “None of this should have happened, and I will not make excuses for it. We are changing the way we do business. We are taking steps to ensure that we do the right thing going forward.”

Joe Sullivan, Uber’s CSO during the breach, was later fired and charged with covering up the hack. Prosecutors accused him of obstructing justice by misclassifying the breach as a bug bounty payment. During his 2022 trial, Sullivan defended his actions, stating: “I was following the processes that were in place at Uber at the time.” 

However, he was found guilty of obstructing justice, marking the first time a security executive was convicted for mishandling a data breach. After this scandal, Uber strengthened its security policies and reached a $148m settlement for failing to disclose the breach.

Lesson: Regularly monitor and secure cloud storage, enforce strict access control, and ensure proper incident response protocols.

4. AWS S3 Breach (2017)

Incident: A massive data leak occurred when companies mistakenly left AWS S3 buckets publicly accessible. This exposed sensitive data such as customer information, internal business documents, and private communications.

Response: AWS emphasised that the breaches were not due to vulnerabilities in AWS itself, but rather misconfigurations by customers who inadvertently left their S3 storage buckets publicly accessible. 

The cloud computing provider issued a statement clarifying that these breaches were the result of user error, explaining: “Amazon S3 is secure by default, and bucket access is controlled by the customer. We provide clear guidance and tools for customers to configure their resources securely.” 

AWS continued to roll out additional security features and enhancements to help customers protect their data.

The following year, the AWS CISO, Stephen Schmidt (AWS CISO), addressed these concerns at AWS re:Invent 2017. He said: “The number one security risk we see today is still misconfiguration. We strongly encourage customers to take advantage of encryption, IAM policies and access control features to prevent accidental exposure.”

Lesson: Always configure access permissions carefully and regularly audit cloud storage for security risks.

5. Accenture (2017)

Incident: Accenture accidentally exposed its internal cloud databases, which contained sensitive client information, including passwords, due to weak security configurations.

Response: Upon discovery, Accenture promptly secured the exposed data and stated: “There was no risk to any of our clients – no active credentials, PII, or other sensitive information was compromised.” 

It further clarified that the exposed information did not grant access to client systems and was not related to production data or applications. 

Lesson: Always encrypt sensitive data and carefully manage access to cloud-based infrastructure.

6. GitHub (2018)

Incident: GitHub experienced a massive DDoS attack that leveraged the cloud’s ability to scale. The attack overwhelmed GitHub’s infrastructure, but the incident showed how cloud services can both enable and mitigate large-scale attacks.

Response: This DDoS attack was one of the largest ever recorded at the time, peaking at 1.35 terabits per second (Tbps). It was a memcached amplification attack, which leveraged unsecured memcached servers to flood GitHub’s infrastructure with traffic.

After successfully mitigating the attack, GitHub’s engineering team published a blog post detailing the incident. It stated: “Between 17:21 and 17:30 UTC, GitHub was impacted by a record-breaking volumetric DDoS attack. We briefly experienced intermittent availability, but our systems automatically mitigated the attack. We modeled our DDoS response capabilities on previous attacks and immediately routed traffic to our DDoS mitigation provider.”

GitHub engineer Sam Kottler added: “This was the largest DDoS attack we – and the world – had ever seen at the time. Cloud-based mitigation strategies helped absorb the massive influx of traffic.”

Lesson: Cloud services are incredibly scalable, but it’s essential to have DDoS mitigation strategies in place, even in cloud environments.

7. Capital One (2019)

Incident: A misconfigured AWS S3 bucket exposed sensitive data from over 100 million customers. A former AWS employee exploited a vulnerability, accessing personal information, credit scores and banking details.

Response: On July 29, 2019, Capital One announced that on July 19, 2019, it had determined there was unauthorised access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

Capital One said it immediately fixed the configuration vulnerability that was exploited and promptly began working with federal law enforcement. The individual responsible for the breach was arrested by the FBI, and Capital One offered free credit monitoring and identity protection to those affected.

Lesson: The importance of proper configuration management and access control in cloud services.

8. Microsoft (2019)

Incident: In 2019, Microsoft exposed millions of customer support records due to misconfigured cloud storage settings. The data was stored in Azure Blob Storage, and it was discovered that the records, which included customer support tickets and other sensitive information, were publicly accessible due to improper security configurations.

Response: Microsoft quickly secured the exposed data and acknowledged that a third-party vendor was responsible for the error. They clarified that the data was not accessed by malicious actors but was publicly visible due to the misconfiguration. Microsoft worked to prevent similar incidents in the future by tightening security protocols for cloud storage.

Lesson: This incident highlights the critical importance of correctly configuring cloud storage and enforcing proper access controls. Regular security audits and monitoring are necessary to identify and fix vulnerabilities before they can be exploited.

9. Facebook (2019)

Incident: Facebook exposed over 540 million records through unsecured cloud storage, including data such as user comments, likes, and reactions, making it vulnerable to external access.

Response: After the exposure was discovered, Facebook acknowledged that third-party developers were responsible for the unsecured storage. Facebook clarified that the data was not directly leaked from its own systems but was the result of improper security practices by app developers who used Facebook’s APIs to collect user data.

Facebook reportedly worked to notify the third-party developers and encouraged them to fix the security vulnerabilities. It also restricted access to the API that allowed apps to collect such data, making it harder for future data leaks to occur due to misconfigurations.

Lesson: Ensure cloud storage is correctly configured and implement encryption to protect data at rest.

10. Slack (2020)

Incident: Slack’s cloud infrastructure was compromised after an employee’s API token was exposed publicly. This allowed unauthorised access to sensitive corporate data.

Response: Slack acknowledged the breach and provided details to customers on how the incident was handled. It emphasised that the incident was limited in scope and did not lead to a broader compromise of their infrastructure.

In a blog post it stated: “We have determined that the incident was the result of an exposed API token. It allowed unauthorised access to certain parts of our system. The issue has been fully resolved and the exposed token has been invalidated.”

The company also stressed that no sensitive user data (such as private messages or account credentials) was exposed in the breach.

Slack updated its security practices around API token management, encouraging organisations to use more secure methods for handling API tokens and to adopt additional authentication measures to prevent future incidents.

Lesson: Regularly monitor and rotate API tokens and keys to mitigate the risk of misuse.

Image by Akash Kumar from Pixabay

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.