Incidents document what actually went wrong in real-world cloud environments. These are not theoretical risks - they are confirmed failures, breaches and exposure events that fuel SkySiege’s cloud testing.
Expect:
Our Incident knowledgeb ase answers the question: “Why do we need a secure and operational cloud?”
Here’s why…
Capital One disclosed a data security incident affecting approximately 100 million individuals in the United States and Canada, including personal information, customer status data, 140,000 Social …
Cisco Talos reported that UAT-10608 exploited the React2Shell vulnerability, tracked as CVE-2025-55182, to gain remote code execution on publicly reachable Next.js applications and harvest credentials …
Railway’s reported outage is best understood as an operational dependency failure with direct security and governance implications. The core lesson is not a classic intrusion scenario, but the …
Microsoft disclosed an incident where a blob storage URL containing an overly permissive Azure Shared Access Signature token was posted by an employee in a public GitHub repository, allowing Wiz to …
A copy of the Mexican National Electoral Institute voter database containing 93 million records was exposed from a MongoDB deployment on Amazon EC2 after being left reachable from the internet with no …
Grafana confirmed its breach stemmed from a compromised CI/CD environment after malicious TanStack npm packages exfiltrated GitHub workflow tokens and one token missed during rotation was later used …
CERT-EU attributed the European Commission cloud breach to TeamPCP, which used a compromised AWS API key stolen in the Trivy supply-chain attack to access the Commission’s Amazon cloud …
PocketOS lost its production database and associated backups after a Cursor agent powered by Claude located an API token in a file and used it to delete the Railway volume holding the data. The …
A contractor-maintained GitHub repository associated with CISA publicly exposed plaintext passwords, tokens, logs and high-privilege AWS GovCloud credentials, with Seralys validating that at least …
A production configuration failure exposed highly sensitive data at scale to users who were authenticated but not authorised to access it, creating a clear access control and governance breakdown in a …
Poland’s railway disruption demonstrates a core control failure: safety-critical operational commands were accepted without authentication or authorization, allowing unauthorised actors to …
ADT confirmed unauthorised access to customer and prospective customer data after detecting the intrusion on April 20 and later determining that personal information had been stolen. The key aspect is …
UpGuard identified a publicly accessible AWS S3 repository operated by NICE Systems, a Verizon third-party vendor, that exposed customer call-centre logs containing names, addresses, phone numbers, …
Mazda reported the matter to Japan’s Personal Information Protection Commission, investigated with external specialists and implemented remediation including reduced internet exposure, patching, …
Whilst only affecting smaller hobby accounts both scenarios identify a clear cloud security failure pattern: public Google Maps API keys are intentionally exposed to browsers, yet they can create …
Microsoft disclosed that an internal customer support case analytics database was exposed after a network security group change on December 5, 2019 introduced overly permissive security rules and the …
Imperva disclosed that its Cloud WAF data exposure stemmed from unauthorised use of an administrative API key in a production AWS account, leading to access to a database snapshot containing email …
This incident is a classic misconfiguration leading to total data breach - Elasticsearch deployed on EC2 without authentication on port 9200 and left reachable from the public internet. This is not …
UpGuard reported that Deep Root Analytics exposed 1.1 TB of downloadable data for up to 198 million potential U.S. voters through an Amazon Web Services S3 bucket with no access protections.
Dow Jones exposed customer and Risk & Compliance data after an Amazon S3 bucket was misconfigured to permit access to AWS “authenticated users,” which UpGuard identified as effectively …
Code Spaces shut down after an unauthorised party accessed its AWS account and permanently deleted most customer data, including Apache Subversion repositories, Elastic Block Store volumes and all …
In a typical incident where S3 buckets have been left exposed to the internet, UpGuard reported that Accenture left four AWS S3 buckets publicly accessible on the internet, allowing anyone with the …
BleepingComputer reports that Stryker needed roughly three weeks to return to a broadly similar level of operation after attackers allegedly stole 50TB of data and wiped nearly 80,000 devices. Even …
BleepingComputer reports that Aura confirmed unauthorised access to nearly 900,000 records after a voice phishing attack against an employee. Aura says the exposed dataset came from a marketing tool …
Socket, Wiz, and Aqua Security report that attackers compromised Trivy’s build pipeline and GitHub Actions, distributing trojanized binaries and workflows that harvested sensitive credentials across …
SkySiege tests A-S3-4, A-S3-5, A-S3-6, A-S3-7, A-S3-8 and A-S3-9 all focus on public access blocks and the quality of S3 Bucket Policies. The reasoning for this is simple - Public Access Blocks and …
Test A-R53-10 reviews DKIM records to determine if the DKIM key is of a suitable size. As the DKIM key is part of a asymetric keypair we can infer certain properties of the corresponding private key, …
Test A-R53-8 specifically looks for Domains that are due to expire within the next 90 days that do not have any form of auto renewal. We reference the risk for expired domains to get squatted whereby …
