Major Cloud Security Attacks of the Last Decade
— and How They Happened

Over the past decade, cloud adoption has become nearly universal — and so have the attacks targeting it. As businesses migrated workloads and data to AWS, Azure, Google Cloud, and other SaaS platforms, threat actors evolved their methods to exploit new weaknesses.

From credential theft and misconfigurations to supply-chain compromises, the pattern is clear: cloud breaches often stem not from the technology itself, but from how it’s configured and managed.

Below is a high-level look at the most significant cloud security incidents of the last ten years, their underlying attack methods, and what they reveal about the evolving threat landscape.

Common Methods of Cloud Attacks

Across nearly every major breach, several recurring attack vectors stand out:

1. Misconfiguration of Cloud Services

Publicly exposed storage buckets, unrestricted access controls, and unsecured management interfaces remain leading causes of cloud breaches. Attackers frequently scan the internet for open S3 buckets, Azure Blobs, or Google Cloud Storage to exfiltrate sensitive data.

2. Compromised Credentials and Weak Identity Controls

Stolen or reused credentials, insufficient multi-factor authentication (MFA), and overly permissive IAM roles are some of the most common doorways into cloud environments.

3. Supply-Chain and Third-Party Compromise

Attackers increasingly target trusted vendors or service providers, knowing that a single compromise can cascade across multiple client environments.

4. Abuse of Cloud Resources

Once inside, attackers often exploit cloud compute or serverless functions for cryptojacking or lateral movement, leveraging the provider’s infrastructure to conceal their activity.

5. Data Exfiltration and Extortion

Whether by direct theft or ransomware, data remains the end goal. Attackers exfiltrate sensitive cloud data or encrypt it to demand ransom from organizations desperate to recover operations.

Notable Cloud Security Incidents (2015–2025)

1) Capital One — 2019 (AWS)

What: Attackers exploited a misconfigured firewall/role and obtained AWS access keys to exfiltrate customer data (over 100M records).
Cloud relevance / MO: Direct cloud storage / IAM misconfiguration combined with stolen/abused credentials.
Impact: Massive personal data exposure and regulatory fallout.
Lesson: Misconfigurations + over-privileged roles = catastrophic blast radius. ACM Digital Library

2) SolarWinds / SUNBURST — 2020 (supply-chain into many cloud/hybrid customers)

What: Malicious code was inserted into trusted SolarWinds Orion updates and delivered to thousands of customers; attackers used the backdoor to move laterally and access sensitive systems.
Cloud relevance / MO: Software supply-chain compromise enabled access into many hybrid/cloud environments that relied on Orion.
Impact: Government and corporate breaches with long dwell times and widespread access.
Lesson: Vendor trust is a critical attack surface — harden upstream build and update pipelines. Google Cloud+1

3) Codecov — 2021 (CI/CD supply chain)

What: Attackers altered Codecov’s Bash uploader to leak CI environment variables and secrets (tokens), enabling downstream compromise of customer cloud resources.
Cloud relevance / MO: CI/CD tool compromise → secret exfiltration → cloud account access.
Impact: Widespread exposure of credentials and potential lateral use against cloud tenants.
Lesson: Secrets in build and CI pipelines must be treated as crown jewels; attestation and short-lived secrets reduce risk. Sonatype+1

4) Kaseya VSA / REvil ransomware — 2021 (MSP supply-chain)

What: REvil exploited Kaseya’s remote management platform to push ransomware to MSP customers and their clients.
Cloud relevance / MO: Compromise of a SaaS/MSP management plane amplified impact across hundreds of downstream networks.
Impact: Large number of businesses hit; complex recovery and large ransom demands.
Lesson: MSPs are high-value targets — vendor security posture directly affects many customers. ODNI+1

5) Microsoft Exchange / Hafnium (ProxyLogon) — 2021

What: A set of zero-day vulnerabilities in on-prem Exchange were exploited to deploy web shells and steal credentials.
Cloud relevance / MO: While primarily on-prem, the incident highlighted identity/credential reuse and supply-chain/third-party telemetry risks that cascade into cloud tenants.
Impact: Tens of thousands of servers compromised, broad data access and persistence.
Lesson: Critical on-prem bugs can still open doors to cloud resources — patching and segmentation are essential. Microsoft+1

6) ChaosDB (Azure Cosmos DB research disclosures) — 2021

What: Security researchers demonstrated chained misconfigurations and flaws allowing theft of primary keys and full access to many Cosmos DB instances.
Cloud relevance / MO: Exploited cloud-native database misconfigurations and provider feature interactions to obtain master keys and data access.
Impact: Research showed the potential to access thousands of Azure customer databases (now patched).
Lesson: Provider services’ complex features can create surprising privilege escalation paths — continuous independent testing is vital. wiz.io+1

7) Docker Hub data breach — 2019

What: Unauthorized access to Docker Hub database exposed ~190,000 accounts and associated repository tokens used for automated builds.
Cloud relevance / MO: Exposure of build tokens and credentials for container images undermines supply chain and cloud deployments.
Impact: Revoked tokens, reset credentials, and potential for malicious images or unauthorized code pulls.
Lesson: Protect registries and build tokens; rotate credentials and monitor image signing. SecurityWeek+1

8) Twilio — 2022 (phishing / targeted social engineering)

What: Sophisticated phishing and voice-phishing targeted employees to harvest credentials, enabling access to internal systems and some customer data. Important downstream services (e.g., Authy, Signal) were affected.
Cloud relevance / MO: Attackers exploited human factors to gain access to a cloud communications provider — enabling attackers to interfere with MFA and communications infrastructure.
Impact: Customer information exposure and potential MFA bypass for affected services.
Lesson: Critical vendors that manage authentication/communications amplify risk if their human defenses are breached. TechCrunch+1

9) Lapsus$ (and copycats) — 2022 (targeting developer/cloud accounts)

What: The Lapsus$ group used social engineering, account takeovers, and stolen credentials to exfiltrate source code and internal tools from major cloud-reliant firms (Microsoft, Nvidia, Samsung, others).
Cloud relevance / MO: Attacks targeted cloud accounts, developer portals and SaaS admin consoles to steal proprietary code and secrets.
Impact: Source-code leaks, operational disruption, public reputational damage.
Lesson: Dev and admin accounts must have hardened access controls (MFA, conditional access), and developer secrets must never be stored where easily phished. CISA

10) Okta / Sitel / 2022–2023 incidents (SSO and identity chain risk)

What: Incidents involving third-party support vendors and compromised help-desk workflows (Sitel) led to transient but consequential Okta service incidents and concerns about SSO trust. Okta’s October 2023 investigation closure clarified the scope.
Cloud relevance / MO: Compromise of support/service provider accounts can cascade into identity provider and tenant access.
Impact: Customer concerns around identity trust; highlighted third-party risk in identity chains.
Lesson: Vendor-managed identity or support access needs strict least-privilege and monitoring. Okta+1

11) MOVEit Transfer / Cl0p mass exploitation — 2023

What: A zero-day SQL injection in Progress MOVEit Transfer was widely exploited by the Cl0p group to install web shells and exfiltrate data from hundreds of organizations.
Cloud relevance / MO: Many orgs use managed file transfer services and cloud storage; the flaw enabled rapid data theft at scale across tenants.
Impact: Hundreds of organizations breached, large-scale data theft and extortion campaigns.
Lesson: Vulnerabilities in widely-used managed services quickly become systemic incidents — rapid patching and vendor coordination matter. Google Cloud+1

12) Snowflake / AT&T customer data incident (reported exposures) — 2023–2024

What: High-profile incidents and investigations revealed large datasets hosted on Snowflake were accessed by attackers or via customer misconfigurations; AT&T reported a major data exposure on Snowflake’s platform that drew law-enforcement interest.
Cloud relevance / MO: Multi-tenant data platforms (data warehouses) concentrate sensitive data — credential misuse, misconfiguration, or delayed disclosure can create large exposures.
Impact: Sensitive call/text metadata for millions; regulatory and PR consequences.
Lesson: Data warehousing platforms require rigorous access controls, monitoring, and timely incident disclosure. Financial Times

Cross-cutting patterns and what sec teams should do now

Common attacker playbook observed across these incidents

• Find or buy access to credentials (phishing, exposed tokens, leaked .env files).

• Exploit misconfiguration or a vulnerable update mechanism (public buckets, permissive IAM, vulnerable vendor software).

• Escalate privileges inside cloud services (abuse provider APIs, steal master keys).

• Exfiltrate data or deploy disruptive payloads (ransomware, web shells, cryptojacking).
  
  

Immediate program-level controls that materially reduce risk

1. Identity-first posture: enforce MFA, short-lived credentials, conditional access, and least privilege IAM.

2. Secrets hygiene: remove secrets from repos and CI, use vaults and ephemeral tokens.

3. Supply-chain risk management: vet vendor build pipelines, sign and verify updates, and limit vendor privileges.

4. Configuration guardrails: automated checks for public buckets, overly broad IAM policies, and risky storage ACLs.

5. Logging & detection tuned to cloud: ensure cloud provider telemetry (CloudTrail, Azure Activity Logs, etc.) is ingested, monitored, and retained.

6. Incident playbooks for cloud: preplan steps for key cloud workflows (revoke keys, isolate subscriptions, roll service-principal credentials).

7. Zero-Trust Is No Longer Optional – Segmentation, least-privilege access, and continuous verification must replace perimeter-based defenses.

The Big Picture

The past decade of cloud breaches underscores one key reality: while cloud platforms are inherently resilient, human error, poor configuration, and weak identity controls continue to expose organizations to risk.

As threat actors refine their tactics — and as businesses increasingly rely on third-party SaaS and API ecosystems — security leaders must evolve from a reactive stance to a zero-trust, identity-centric, and configuration-aware posture.

In the next decade, the winners in cloud security will be those who not only harden technology but also continuously audit and govern how it’s used.