• TechOps Examples
  • Posts
  • Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks

Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks

In partnership with

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the top news, tools, videos, and articles in the TechOps industry.

Before we begin... a big thank you to today's sponsor The Rundown AI.

  • Get the latest developments in AI before everyone else.

  • Try The Rundown AI – learn how to apply AI in just 5 minutes a day.

  • Loved by 700,000+ professionals!

IN TODAY'S EDITION

🧠 Use Case

  • Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks

🚀 Top News

📽️ Videos

📚️ Resources

🛠️ TOOL OF THE DAY

aws-lambda-power-tuning - help you visualize and fine-tune the memory/power configuration of Lambda functions.

🧠 USE CASE

Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks

It all started on June 30, when a security researcher known as xyzeva posted on X, asking for someone from a16z, a billion-dollar venture capital firm to contact her, suggesting she had uncovered a significant security issue.

get in touch, now. its bad. security related" was the message.

xyzeva has a knack for finding vulnerabilities through casual pentesting.

She often searches Twitter, runs a quick scan, and discovers security flaws—more often than you'd expect.

This time, while exploring a16z, she found something startling: their process.env file, full of sensitive credentials, was exposed in the JavaScript of their portfolio management site.

Using Lunchcat, she uncovered AWS keys, Salesforce tokens, and more, all visible via the browser's Inspect Element.

These exposed secrets left a16z's infra vulnerable to attacks.

Here’s the exposed process.env file:

{

"MARKETPLACE_URL": "<REDACTED>",

"DATABASE_URL": "<REDACTED>",

"SALESFORCE_CLIENT_ID": "<REDACTED>",

"SALESFORCE_SECURITY_TOKEN": "<REDACTED>",

"npm_config_user_agent": "<REDACTED>",

"SALESFORCE_CLIENT_SECRET": "<REDACTED>",

"SALESFORCE_USERNAME": "<REDACTED>",

"OKTA_CLIENT_ID": "<REDACTED>",

"OKTA_CLIENT_SECRET": "<REDACTED>",

"SESSION_SECRET": "<REDACTED>",

"API_USERNAME": "<REDACTED>",

"GOOGLE_CLIENT_ID_DEVELOPMENT": "<REDACTED>",

"CLIENT_TOKEN_SECRET": "<REDACTED>",

"GOOGLE_CLIENT_SECRET_DEVELOPMENT": "<REDACTED>",

"AWS_BUCKET_NAME": "<REDACTED>",

"npm_config_prefix": "<REDACTED>",

"REACT_APP_SENTRY_DSN": "<REDACTED>",

"AWS_BUCKET_TEAM_PAGES": "<REDACTED>",

"MAILGUN_API_KEY": "<REDACTED>",

"GOOGLE_CLIENT_ID": "<REDACTED>",

"AWS_LOGO_BUCKET_URL": "<REDACTED>",

"SALESFORCE_KEY": "<REDACTED>",

"GOOGLE_CLIENT_SECRET": "<REDACTED>",

"PAPERTRAIL_API_TOKEN": "<REDACTED>",

"MAILGUN_PASSWORD": "<REDACTED>",

"OKTA_CALLBACK_URL": "<REDACTED>",

"SALESFORCE_PASSWORD": "<REDACTED>",

"MAILGUN_USER": "<REDACTED>",

"AWS_ACCESS_KEY_ID": "<REDACTED>",

"PNPM_CONFIG_CACHE": "<REDACTED>",

"AWS_SECRET_ACCESS_KEY": "<REDACTED>",

"MAILGUN_DOMAIN": "<REDACTED>",

"GOOGLE_CALLBACK_URL_DEVELOPMENT": "<REDACTED>",

"API_PASSWORD": "<REDACTED>",

"SENTRY_DSN": "<REDACTED>",

"SALESFORCE_LOGIN_URL": "<REDACTED>",

"COOKIE_SECRET": "<REDACTED>",

"OKTA_DOMAIN": "<REDACTED>",

"NODE_MODULES_CACHE": "<REDACTED>",

"GOOGLE_CALLBACK_URL": "<REDACTED>",

"NODE_ENV": "<REDACTED>",

"HEROKU_POSTGRESQL_CRIMSON_URL": "<REDACTED>",

"TALENTPLACE_URL": "<REDACTED>"

}

What was at Risk ?

With these credentials, attackers could have accessed:

  • AWS infrastructure: Full access to the firm's cloud resources.

  • Salesforce data: Potentially exposing sensitive customer and business data.

  • Mailgun services: The ability to send emails from the firm’s domain, impersonating the company.

  • Database access: Confidential data about portfolio companies and internal operations.

This use case highlights how a small flaw can impact the entire system's security.

In fact, cloud data breaches are not new.

In 2024, the average cost hit $4.88 million, a 10% rise from 2023—the highest ever recorded in IBM's Cost of a Data Breach Report 2024.

Here are actionable insights with reference docs to prevent exposed secrets in AWS:

xyzeva did not get any bug bounty for this as she revealed it publicly — but we got a good use case.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

Looking to promote your company, product, service, or event to 16,000+ TechOps Professionals? Let's work together.