AWS environment hit by data theft breach
Incident
Summary
Hide ▲
Show ▼
An AWS environment was compromised in an AI-assisted intrusion that enabled extortion, creating immediate risk of data theft and operational disruption. The actor used 72 hours to carry out work that would normally take weeks, then searched for secrets, built persistence, exfiltrated data from RDS databases, and executed impact actions against S3 buckets, ECS services, and SQS queues. The intrusion exploited gaps in secrets management, identity governance, deployment workflows, and cloud permissions.
Related Happenings
LexisNexis Legal & Professional hit by network compromise
Incident
H score38
First: 03.03.2026 17:40
Last: 03.03.2026 17:40
Sources 1
About this happening:
**LexisNexis Legal & Professional** confirmed a **server breach** after an **unauthorized party accessed a limited number of servers**, creating risk that internal customer and bu...
LexisNexis Legal & Professional hit by network compromise
IncidentAbout this happening: **LexisNexis Legal & Professional** confirmed a **server breach** after an **unauthorized party accessed a limited number of servers**, creating risk that internal customer and bu...
Exposed security-training web apps exploitation wave
Exploitation Wave
H score41
First: 21.01.2026 16:00
Last: 21.01.2026 16:00
Sources 1
About this happening:
**DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...
Exposed security-training web apps exploitation wave
Exploitation WaveAbout this happening: **DVWA**, **OWASP Juice Shop**, **Hackazon**, and **bWAPP** instances exposed in cloud environments are being **actively exploited**, putting **Fortune 500 companies** and securit...
AWS IAM credential-abuse crypto-mining campaign
Campaign
H score34
First: 16.12.2025 18:35
Last: 16.12.2025 18:35
Sources 1
About this happening:
The **AWS**-targeting campaign is using **compromised IAM credentials** to deploy **cryptocurrency mining** resources across customer environments, creating immediate cost and res...
AWS IAM credential-abuse crypto-mining campaign
CampaignAbout this happening: The **AWS**-targeting campaign is using **compromised IAM credentials** to deploy **cryptocurrency mining** resources across customer environments, creating immediate cost and res...
DragonForce campaign expands across multiple victims
Campaign
H score39
First: 03.12.2025 17:05
Last: 03.12.2025 17:05
Sources 1
About this happening:
**DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...
DragonForce campaign expands across multiple victims
CampaignAbout this happening: **DragonForce** is a **ransomware campaign** that pairs follow-on encryption with **Scattered Spider**-linked intrusion tradecraft against **high-value targets**. In **December 20...
Timeline
-
08.07.2026 15:30 2 articles · 1d ago
Sygnia details AI-assisted AWS compromise for extortion
Initial DisclosureSygnia says a lone threat actor used AI-assisted workflows to compromise an AWS environment for extortion after obtaining an access key through weaknesses in an internet-facing application. The post-compromise activity unfolded over 72 hours and included searching for secrets and credentials, creating persistence with new access keys and IAM users, establishing reverse shells on EC2 instances and ECS containers, exfiltrating data from RDS databases, and disrupting S3 buckets, ECS services, and SQS queues while exploiting gaps in secrets management, identity governance, deployment workflows, cloud permissions, visibility, monitoring, and incident preparedness.
Show sources
- Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target — www.infosecurity-magazine.com — 08.07.2026 15:30
- Threat Actors Uses Agentic AI to Rapidly Compromise Cloud Target — www.infosecurity-magazine.com — 08.07.2026 15:30