内容如下
"What happened?
*** application servers run using Amazon Web Services. The configuration is
vast, consisting of thousands of servers. One of these was an old prototype
machine, which was the target of the breach.
The machine had been running since before 2012, and was not in active use.
It was penetrated using the shellshock vulnerability, and since it was no
longer in active use, it did not have the appropriate patch installed.
The old prototype machine had our AWS API access key and secret key. Once
the hacker gained access to the keys, he created an IAM user, and generated
a key-pair. He was then able to run an instance inside our AWS account using
these credentials, and mount one of our backup disks. This backup was of
one of our component services, used for production environment, and
contained a config file with our database password. He also whitelisted his
IP on our database security group, which is the AWS firewall.
He began to copy one of our tables, which contained partial user information
, including email IDs, hashed passwords, and last tested URL. His copy
operation locked the database table, which raised alerts on our monitoring
system. On receiving the alerts, we checked the logs, saw an unrecognized IP
, and blocked it right away. In that time, the hacker had been able to
retrieve only a portion of the data. Finally, using this data and the SES
credentials, he was able to 。。。。。"
