Threat Actor Claiming Access to AWS, Azure, & GitHub API Keys


According to a post on X (formerly known as Twitter), a threat actor is claiming to have gained access to a handful of API keys for major cloud service providers, including Amazon Web Services (AWS), Microsoft Azure, GitHub, etc. The actor who goes by the alias “carlos_hank,” stated that these keys are “fresh and all working,” with high permissions that can be used to compromise entire cloud infrastructures. Representatives from the affected companies have acknowledged the claims from the actors and are currently investigating the matter. In the meantime, users have been advised to rotate their API keys and implement additional security measures such as MFA.

Security Officer Comments:
The development comes after law enforcement took down Breach Forums, a popular marketplace for cybercriminals to purchase and sell various services and access to organizations. Despite the takedown, threat actors are seeking to other similar platforms to continue their nefarious operations. The actor, carlos_hank, didn’t provide any proof of the stolen API keys so it’s unclear if the recent claim is legitimate. In the past, cybercriminals have made false claims as a means to gain attention and popularity within the cybercriminal community.

Suggested Corrections:
With access to API keys, threat actors could gain unauthorized entry to sensitive data stored in cloud databases, potentially causing a large-scale data breach affecting millions of users. To mitigate this risk, organizations should implement several key practices: regularly rotate API keys, restrict access based on the principle of least privilege, use encryption and secure storage management services to protect keys from unauthorized access, and closely monitor API key usage to detect any unusual activity.