#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

amazon | Breaking Cybersecurity News | The Hacker News

Category — amazon
E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws

E.U. Commission Fined for Transferring User Data to Meta in Violation of Privacy Laws

Jan 09, 2025 Data Privacy / GDPR
The European General Court on Wednesday fined the European Commission, the primary executive arm of the European Union responsible for proposing and enforcing laws for member states, for violating the bloc's own data privacy regulations. The development marks the first time the Commission has been held liable for infringing stringent data protection laws in the region. The court determined that a "sufficiently serious breach" was committed by transferring a German citizen's personal data, including their IP address and web browser metadata, to Meta's servers in the United States when visiting the now-inactive futureu.europa[.]eu website in March 2022. The individual registered for one of the events on the site by using the Commission's login service, which included an option to sign in using a Facebook account. "By means of the 'Sign in with Facebook' hyperlink displayed on the E.U. Login webpage, the Commission created the conditions for t...
 EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

Oct 30, 2023 Cloud Security / Cryptocurrency
A new ongoing campaign dubbed  EleKtra-Leak  has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities. "As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist  said  in a technical report shared with The Hacker News. The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023. A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are  programmatically cloning and scanning the repositories  to captur...
4 Reasons Your SaaS Attack Surface Can No Longer be Ignored

4 Reasons Your SaaS Attack Surface Can No Longer be Ignored

Jan 14, 2025SaaS Security / Generative AI
What do identity risks, data security risks and third-party risks all have in common? They are all made much worse by SaaS sprawl. Every new SaaS account adds a new identity to secure, a new place where sensitive data can end up, and a new source of third party risk. Learn how you can protect this sprawling attack surface in 2025. What do identity risks, data security risks and third-party risks all have in common? They are all made much worse by SaaS sprawl. Every new SaaS account adds a new identity to secure, a new place where sensitive data can end up, and a new source of third-party risk. And, this growing attack surface, much of which is unknown or unmanaged in most orgs, has become an attractive target for attackers. So, why should you prioritize securing your SaaS attack surface in 2025? Here are 4 reasons. ‍ 1. Modern work runs on SaaS. When's the last time you used something other than a cloud-based app to do your work? Can't remember? You're not alone.  Outside of ...
New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries

New Supply Chain Attack Exploits Abandoned S3 Buckets to Distribute Malicious Binaries

Jun 15, 2023 Software Supply Chain
In what's a new kind of software supply chain attack aimed at open source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. "Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said. The attack was first observed in the case of an npm package called  bignum , which, until version 0.13.0, relied on an Amazon S3 bucket to download pre-built binary versions of an addon named node-pre-gyp during installation. "These binaries were published on a now-expired S3 bucket which has since been claimed by a malicious third party which is now serving binaries containing malware that exfiltrates data from the user's computer," according to a  GitHub advisory  published on May 24, 2023. An unknown threat actor ...
cyber security

2024: A Year of Identity Attacks | Get the New eBook

websitePush SecurityIdentity Security
Prepare to defend against identity attacks in 2025 by looking back at identity-based breaches in 2024.
FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring

FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring

Jun 03, 2023 Privacy / Technology
The U.S. Federal Trade Commission (FTC) has fined Amazon a cumulative $30.8 million over a series of privacy lapses regarding its Alexa assistant and Ring security cameras. This comprises a $25 million penalty for breaching children's privacy laws by retaining their Alexa voice recordings for indefinite time periods and preventing parents from exercising their deletion rights. "Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated  COPPA  and sacrificed privacy for profits," FTC's Samuel Levine said. As part of the court order, the retail giant has been mandated to delete the collected information, including inactive child accounts, geolocation data, and voice recordings, and prohibited from gathering such data to train its algorithms. It's also required to disclose to customers its data retention practices. Amazon has also agreed to fork out an additional $5.8 million ...
Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations

Indonesian Cybercriminals Exploit AWS for Profitable Crypto Mining Operations

May 22, 2023 Cryptocurrency / Cloud Security
A financially motivated threat actor of Indonesian origin has been observed leveraging Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances to carry out illicit crypto mining operations. Cloud security company's Permiso P0 Labs, which first detected the group in November 2021, has assigned it the moniker  GUI-vil  (pronounced Goo-ee-vil). "The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations," the company said in a report shared with The Hacker News. "Upon gaining AWS Console access, they conduct their operations directly through the web browser." Attack chains mounted by GUI-vil entail obtaining initial access by weaponizing AWS keys in publicly exposed source code repositories on GitHub or scanning for GitLab instances that are vulnerable to remote code execution flaws (e.g.,  CVE-2021-22205 ). A successful ingress is followed by privilege escalation and...
TikTok Fined $5.4 Million by French Regulator for Violating Cookie Laws

TikTok Fined $5.4 Million by French Regulator for Violating Cookie Laws

Jan 14, 2023 Privacy / Online Safety
Popular short-form video hosting service TikTok has been fined €5 million (about $5.4 million) by the French data protection watchdog for breaking cookie consent rules, making it the latest platform to face similar penalties after  Amazon, Google, Meta , and  Microsoft  since 2020. "Users of 'tiktok[.]com' could not refuse cookies as easily as accepting them and they were not informed in a sufficiently precise way of the objectives of the different cookies," the Commission nationale de l'informatique et des libertés (CNIL)  said  in a statement. The regulator said it conducted several audits between May 2020 and June 2022, finding that the ByteDance-owned company did not offer a straightforward option to refuse all cookies as opposed to just one click for accepting them. The option to "refuse all" cookies was introduced by TikTok in February 2022. "Making the opt-out mechanism more complex is in fact discouraging users from refusing cookies and...
Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

Serious Attacks Could Have Been Staged Through This Amazon ECR Public Gallery Vulnerability

Dec 13, 2022 Software Security / Cloud Security
A critical security flaw has been disclosed in Amazon Elastic Container Registry (ECR) Public Gallery that could have been potentially exploited to stage a multitude of attacks, according to cloud security firm Lightspin. "By exploiting this vulnerability, a malicious actor could delete all images in the Amazon ECR Public Gallery or update the image contents to inject malicious code," Gafnit Amiga, director of security research at Lightspin, said in a report shared with The Hacker News. "This malicious code is executed on any machine that pulls and runs the image, whether on user's local machines, Kubernetes clusters or cloud environments." ECR is a  container image registry service  managed by Amazon Web Services, enabling users to package code as Docker images and deploy the artifacts in a scalable manner. Public repositories hosted on ECR are displayed in what's called the  ECR Public Gallery . "By default, your account has read and write acce...
Researchers Detail AppSync Cross-Tenant Vulnerability in Amazon Web Services

Researchers Detail AppSync Cross-Tenant Vulnerability in Amazon Web Services

Nov 28, 2022
Amazon Web Services (AWS) has resolved a cross-tenant vulnerability in its platform that could be weaponized by an attacker to gain unauthorized access to resources. The issue relates to a  confused deputy problem , a type of privilege escalation where a program that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. The shortcoming was reported by Datadog to AWS on September 1, 2022, following which a patch was shipped on September 6. "This attack abuses the AppSync service to assume [identity and access management]  roles  in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts," Datadog researcher Nick Frichette  said  in a report published last week. In a coordinated disclosure, Amazon  said  that no customers were affected by the vulnerability and that no customer action is required. It described it as a "case-sensitivity ...
Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

Nov 16, 2022
Hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing personal identifiable information (PII), new findings from Mitiga, a cloud incident response company, show. "Leaking PII in this manner provides a potential treasure trove for threat actors – either during the reconnaissance phase of the cyber kill chain or extortionware/ransomware campaigns," researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik said in a report shared with The Hacker News. This includes names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins. Amazon RDS is a  web service  that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server. The root cause of the leaks stems from a feature called public  RDS snapshots , which allows for creating a backup of the entir...
New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

New Amazon Ring Vulnerability Could Have Exposed All Your Camera Recordings

Aug 19, 2022
Retail giant Amazon patched a high-severity security issue in its Ring app for Android in May that could have enabled a rogue application installed on a user's device to access sensitive information and camera recordings. The Ring app for Android has over 10 million downloads and enables users to monitor video feeds from smart home devices such as video doorbells, security cameras, and alarm systems. Amazon acquired the doorbell maker for about $1 billion in 2018. Application security firm Checkmarx  explained  it identified a cross-site scripting (XSS) flaw that it said could be weaponized as part of an attack chain to trick victims into installing a malicious app. The app can then be used to get hold of the user's Authorization Token, that can be subsequently leveraged to extract the session cookie by sending this information alongside the device's hardware ID, which is also encoded in the token, to the endpoint "ring[.]com/mobile/authorize." Armed with th...
Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

Jul 16, 2022
Following the launch of a new "Data safety" section for Android apps on the Play Store, Google appears to be readying to remove the app permissions list from both the mobile app and the web. The change was  highlighted  by Esper's Mishaal Rahman earlier this week. The  Data safety  section, which Google began rolling out in late April 2022, is the company's answer to Apple's Privacy Nutrition Labels in iOS, allowing users to have a unified view of an app's data collection and processing practices. To that end, third-party app developers are required to furnish the required details by July 20, 2022. With this deadline now approaching next week, the tech giant has taken the step of entirely removing the permissions section. The decision also appears to be a hasty one, as a number of popular apps such as Facebook, Messenger, Instagram, WhatsApp, Amazon (including Amazon Prime Video), DuckDuckGo, Discord, and PhonePe are yet to populate their Data safety sec...
Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

Amazon Quietly Patches 'High Severity' Vulnerability in Android Photos App

Jul 01, 2022
Amazon, in December 2021, patched a high severity vulnerability affecting its  Photos app  for Android that could have been exploited to steal a user's access tokens. "The Amazon access token is used to authenticate the user across multiple Amazon APIs, some of which contain personal data such as full name, email, and address," Checkmarx researchers João Morais and Pedro Umbelino  said . "Others, like the Amazon Drive API, allow an attacker full access to the user's files." The Israeli application security testing company reported the issue to Amazon on November 7, 2021, following which the tech giant rolled out a fix on December 18, 2021. The leak is the result of a misconfiguration in one of the app's components named "com.amazon.gallery.thor.app.activity.ThorViewActivity" that's defined in the  AndroidManifest.xml file  and which, when launched, initiates an HTTP request with a header containing the access token. In a nutshell, it...
Former Amazon Employee Found Guilty in 2019 Capital One Data Breach

Former Amazon Employee Found Guilty in 2019 Capital One Data Breach

Jun 21, 2022
A 36-year-old former Amazon employee was convicted of wire fraud and computer intrusions in the U.S. for her role in the theft of personal data of no fewer than 100 million people in the  2019 Capital One breach . Paige Thompson , who operated under the online alias "erratic" and worked for the tech giant till 2016, was found guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer. The seven-day trial saw the jury acquitted her of other charges, including access device fraud and aggravated identity theft. She is scheduled for sentencing on September 15, 2022. Cumulatively, the offenses are punishable by up to 25 years in prison. "Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency,"  said  U.S. Attorney Nick Brown. "Far from being an ethical hacker trying to help companies with their computer s...
Amazon's Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug

Amazon's Hotpatch for Log4j Flaw Found Vulnerable to Privilege Escalation Bug

Apr 21, 2022
The "hotpatch" released by Amazon Web Services (AWS) in response to the  Log4Shell  vulnerabilities could be leveraged for container escape and privilege escalation, allowing an attacker to seize control of the underlying host. "Aside from containers, unprivileged processes can also exploit the patch to escalate privileges and gain root code execution," Palo Alto Networks Unit 42 researcher Yuval Avrahami  said  in a report published this week. The issues —  CVE-2021-3100 ,  CVE-2021-3101 ,  CVE-2022-0070 , and  CVE-2022-0071  (CVSS scores: 8.8) — affect the  hotfix solutions  shipped by AWS, and stem from the fact that they are designed to search for Java processes and patch them against the Log4j flaw on the fly but without ensuring that the new Java processes are run within the restrictions imposed on the container. "Any process running a binary named 'java' – inside or outside of a container – is considered a candidate for...
Your Amazon Devices to Automatically Share Your Wi-Fi With Neighbors

Your Amazon Devices to Automatically Share Your Wi-Fi With Neighbors

May 31, 2021
Starting June 8, Amazon will automatically enable a feature on its family of hardware devices, including Echo speakers, Ring Video Doorbells, Ring Floodlight Cams, and Ring Spotlight Cams, that will share a small part of your Internet bandwidth with nearby neighbors — unless you choose to opt-out. To that effect, the company intends to register all compatible devices that are operational in the U.S. into an ambitious location-tracking system called Sidewalk as it prepares to roll out the shared mesh network in the country. Originally  announced  in September 2019,  Sidewalk  is part of Amazon's efforts to build a long-range wireless network that leverages a combination of Bluetooth and 900 MHz spectrum ( FSK ) to help Echo, Ring, Tile trackers, and other Sidewalk-enabled devices communicate over the internet without Wi-Fi. Sidewalk is designed to extend the working range of low-bandwidth devices, and help devices stay connected even if they are outside the range ...
ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process

Feb 26, 2021
Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. The findings were presented on Wednesday at the Network and Distributed System Security Symposium (NDSS) conference by a group of academics from Ruhr-Universität Bochum and the North Carolina State University, who analyzed 90,194 skills available in seven countries, including the US, the UK, Australia, Canada, Germany, Japan, and France. Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.  Chief among the findings is the concern that ...
Chinese Spying Chips Found Hidden On Servers Used By US Companies

Chinese Spying Chips Found Hidden On Servers Used By US Companies

Oct 04, 2018
A media report today revealed details of a significant supply chain attack which appears to be one of the largest corporate espionage and hardware hacking programs from a nation-state. According to a lengthy report published today by Bloomberg, a tiny surveillance chip, not much bigger than a grain of rice, has been found hidden in the servers used by nearly 30 American companies, including Apple and Amazon. The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China. The report, based on a 3-year-long top-secret investigation in the United States, claims that the Chinese government-affiliated groups managed to infiltrate the supply chain to install tiny surveillance chips to motherboards which ended up in servers deployed by U.S. military, U.S. intelligence agencies, and many U.S. companies like Apple and Amazon. "Apple made its discovery of suspi...
Amazon's Whole Foods Market Suffers Credit Card Breach In Some Stores

Amazon's Whole Foods Market Suffers Credit Card Breach In Some Stores

Sep 29, 2017
Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach. Whole Foods Market—acquired by Amazon for $13.7 billion in late August— disclosed Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores. Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada. The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details. The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach. Instead, only certain venu...
US Defense Contractor left Sensitive Files on Amazon Server Without Password

US Defense Contractor left Sensitive Files on Amazon Server Without Password

May 31, 2017
Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation's top intelligence contractor without a password, according to a new report. UpGuard cyber risk analyst Chris Vickery discovered  a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access. The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors. Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials. Master Credentials to a Highly-Protected Pentagon System were Exposed Roughly 28GB of exposed documents included the privat...
How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet

How A Simple Command Typo Took Down Amazon S3 and Big Chunk of the Internet

Mar 03, 2017
The major internet outage across the United States earlier this week was not due to any virus or malware or state-sponsored cyber attack, rather it was the result of a simple TYPO. Amazon on Thursday admitted that an incorrectly typed command during a routine debugging of the company's billing system caused the 5-hour-long outage of some Amazon Web Services (AWS) servers on Tuesday. The issue caused tens of thousands of websites and services to become completely unavailable, while others show broken images and links, which left online users around the world confused. The sites and services affected by the disruption include Quora, Slack, Medium, Giphy, Trello, Splitwise, Soundcloud, and IFTTT, among a ton of others. Here's What Happened: On Tuesday morning, members of Amazon Simple Storage Service (S3) team were debugging the S3 cloud-storage billing system. As part of the process, the team needed to take a few billing servers offline, but unfortunately, it end...
Expert Insights / Articles Videos
Cybersecurity Resources