- TechOps Examples
- Posts
- Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks
Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the top news, tools, videos, and articles in the TechOps industry.
Before we begin... a big thank you to today's sponsor The Rundown AI.
Get the latest developments in AI before everyone else.
Try The Rundown AI – learn how to apply AI in just 5 minutes a day.
Loved by 700,000+ professionals!
IN TODAY'S EDITION
🧠 Use Case
Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks
🚀 Top News
The biggest data breaches in 2024: 1 billion stolen records and rising
📽️ Videos
The Story of Python by Its Creator Guido Van Rossum
Validate Your Terraform Configuration Like an Expert
📚️ Resources
5 Things You Can Do on Linux but Not on Windows
How to Expose Kubernetes Apps Using the Gateway API
Creating an Image Thumbnail Generator Using AWS Lambda and S3 Event Notifications with Terraform
🛠️ TOOL OF THE DAY
aws-lambda-power-tuning - help you visualize and fine-tune the memory/power configuration of Lambda functions.
🧠 USE CASE
Security Researcher Exposed AWS Keys and API Secrets of $1B VC Firm in 5 Clicks
It all started on June 30, when a security researcher known as xyzeva posted on X, asking for someone from a16z, a billion-dollar venture capital firm to contact her, suggesting she had uncovered a significant security issue.
“get in touch, now. its bad. security related" was the message.
someone from @a16z get in touch, now. its bad. security related.
— xyzeva (@xyz3va)
8:27 AM • Jun 30, 2024
xyzeva has a knack for finding vulnerabilities through casual pentesting.
She often searches Twitter, runs a quick scan, and discovers security flaws—more often than you'd expect.
This time, while exploring a16z, she found something startling: their process.env file, full of sensitive credentials, was exposed in the JavaScript of their portfolio management site.
Using Lunchcat, she uncovered AWS keys, Salesforce tokens, and more, all visible via the browser's Inspect Element.
These exposed secrets left a16z's infra vulnerable to attacks.
Here’s the exposed process.env file:
{
"MARKETPLACE_URL": "<REDACTED>",
"DATABASE_URL": "<REDACTED>",
"SALESFORCE_CLIENT_ID": "<REDACTED>",
"SALESFORCE_SECURITY_TOKEN": "<REDACTED>",
"npm_config_user_agent": "<REDACTED>",
"SALESFORCE_CLIENT_SECRET": "<REDACTED>",
"SALESFORCE_USERNAME": "<REDACTED>",
"OKTA_CLIENT_ID": "<REDACTED>",
"OKTA_CLIENT_SECRET": "<REDACTED>",
"SESSION_SECRET": "<REDACTED>",
"API_USERNAME": "<REDACTED>",
"GOOGLE_CLIENT_ID_DEVELOPMENT": "<REDACTED>",
"CLIENT_TOKEN_SECRET": "<REDACTED>",
"GOOGLE_CLIENT_SECRET_DEVELOPMENT": "<REDACTED>",
"AWS_BUCKET_NAME": "<REDACTED>",
"npm_config_prefix": "<REDACTED>",
"REACT_APP_SENTRY_DSN": "<REDACTED>",
"AWS_BUCKET_TEAM_PAGES": "<REDACTED>",
"MAILGUN_API_KEY": "<REDACTED>",
"GOOGLE_CLIENT_ID": "<REDACTED>",
"AWS_LOGO_BUCKET_URL": "<REDACTED>",
"SALESFORCE_KEY": "<REDACTED>",
"GOOGLE_CLIENT_SECRET": "<REDACTED>",
"PAPERTRAIL_API_TOKEN": "<REDACTED>",
"MAILGUN_PASSWORD": "<REDACTED>",
"OKTA_CALLBACK_URL": "<REDACTED>",
"SALESFORCE_PASSWORD": "<REDACTED>",
"MAILGUN_USER": "<REDACTED>",
"AWS_ACCESS_KEY_ID": "<REDACTED>",
"PNPM_CONFIG_CACHE": "<REDACTED>",
"AWS_SECRET_ACCESS_KEY": "<REDACTED>",
"MAILGUN_DOMAIN": "<REDACTED>",
"GOOGLE_CALLBACK_URL_DEVELOPMENT": "<REDACTED>",
"API_PASSWORD": "<REDACTED>",
"SENTRY_DSN": "<REDACTED>",
"SALESFORCE_LOGIN_URL": "<REDACTED>",
"COOKIE_SECRET": "<REDACTED>",
"OKTA_DOMAIN": "<REDACTED>",
"NODE_MODULES_CACHE": "<REDACTED>",
"GOOGLE_CALLBACK_URL": "<REDACTED>",
"NODE_ENV": "<REDACTED>",
"HEROKU_POSTGRESQL_CRIMSON_URL": "<REDACTED>",
"TALENTPLACE_URL": "<REDACTED>"
}
What was at Risk ?
With these credentials, attackers could have accessed:
AWS infrastructure: Full access to the firm's cloud resources.
Salesforce data: Potentially exposing sensitive customer and business data.
Mailgun services: The ability to send emails from the firm’s domain, impersonating the company.
Database access: Confidential data about portfolio companies and internal operations.
This use case highlights how a small flaw can impact the entire system's security.
In fact, cloud data breaches are not new.
In 2024, the average cost hit $4.88 million, a 10% rise from 2023—the highest ever recorded in IBM's Cost of a Data Breach Report 2024.
Here are actionable insights with reference docs to prevent exposed secrets in AWS:
Use AWS Secrets Manager to securely store sensitive credentials and automatically rotate them to avoid long-term exposure.
Apply IAM roles with least privilege to grant only necessary permissions and use AWS STS for temporary credentials, avoiding hardcoded keys.
Enable AWS CloudTrail to monitor and log all account activity for comprehensive auditing.
Activate AWS GuardDuty to detect suspicious or unauthorized activities within your AWS environment.
Implement S3 bucket policies to block public access and restrict access to only authorized resources.
xyzeva did not get any bug bounty for this as she revealed it publicly — but we got a good use case.
Learn AI in 5 minutes a day
This is the easiest way for a busy person wanting to learn AI in as little time as possible:
Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI