Support system service account compromise
Attackers used a compromised service account tied to Okta customer support. Stolen session artifacts in support files enabled downstream customer session hijacking attempts.
Service accounts with broad support access require the same ownership, rotation, and evidence discipline as production IAM roles.
Okta Security blog, November 2023
Engineer session led to customer secret exfiltration
A compromised engineer laptop session allowed access to databases holding customer environment variables, tokens, and API keys used in CI.
CI/CD platforms concentrate machine credentials. Inventory and blast radius mapping must include pipeline secrets, not only Git commits.
CircleCI official incident report, January 2023
Employee token misuse against GitHub
Stolen employee tokens were used to access external GitHub repositories and download private code.
Developer tokens bridge human and machine identity boundaries. Owner attribution and scope review must cover employee-issued automation credentials.
Slack security blog, January 2023
Over-permissive Azure SAS token exposure
A researcher-shared URL contained an overly broad shared access signature, exposing internal backup and collaboration data.
Cloud storage tokens are machine identities with implicit blast radius. Least privilege and expiry enforcement need continuous inventory.
Microsoft MSRC blog, September 2023
Supply chain script modification
Attackers altered a Bash uploader script for months, exporting CI environment variables that often contained customer API keys and tokens.
Third-party CI tools inherit secrets from every customer pipeline. Supply chain identity risk extends beyond your own repositories.
Codecov security update, April 2021
Okta support breach session reuse
Session material from Okta support system exposure was used in an attempt to access Cloudflare administrative accounts.
Downstream identity providers amplify single machine identity failures across the vendor graph.
Cloudflare engineering blog, October 2023
Contractor compromise to internal tools
After MFA fatigue on a contractor account, attackers accessed internal SSO and cloud tooling, forcing broad key rotation across services.
Contractor and workforce-adjacent identities often hold paths to service accounts and automation keys with unclear owners.
Uber newsroom security update, September 2022
DevOps secrets in cloud backups
Follow-on access to cloud storage backups exposed DevOps secrets, integration keys, and customer vault material.
Secrets managers do not replace governance. Backup paths and break-glass credentials are machine identities requiring owners and evidence.
LastPass security blog, March 2023