Public Cloud Security Breaches Documenting their mistakes so you don't make them.

DataDog (2016)

Incident Details

Victimized Company:DataDog
Incident Dates:2016-07-07 to 2016-07-08
Disclosure Date:2016-07-08
Current Status:Perpetrator Unknown

In July 2016, SaaS provider DataDog suffered a breach affecting its AWS customers. The breach stemmed from an attacker targeting production infrastructure servers and a database that stores user credentials. AWS users who attempted to use AWS credentials shared with Datadog also reported issues. DataDog immediately mitigated and notified users of the breach and ensured any precautions needed to be taken.

Incident

Details of the Incident

In July 2016, DataDog suffered a security breach. In a statement by DataDog, they say that the attacker gained access through a leak of an AWS access key and a SSH private key that were used by their automated provisioning and release systems. The usage of both keys together allowed for unauthorized access to three of their AWS EC2 instances and a subset of their AWS S3 buckets. The resources breached included user credentials for DataDogs services, service metadata, and credentials for 3rd party integrations.

DataDog then quarantined the affected instances and sent out an email warning its users of the data breach, asking them to reset their passwords and for administrators to rotate or revoke any credentials stored in the DataDog system.

Timeline

Date Event
July 7, 2016 Forensic activity shows attacker activity began.
July 8, 2016 DataDog releases a Security Notice disclosing the incident details.

Attribution / Perpetrator

The identity of the perpetrator of the breach has not been identified.

Summary of coverage

Cloud Security lessons learned.

  • Avoid the use of long-term AWS Access Keys
  • Per DataDog: only “a subset of our AWS S3 buckets” were impacted, indicating that the compromise credentials may have been properly least-privledge.
  • As would be expected of an observability company, the time from initial compromise to incident detection was aprox 19 hrs.