BrowserStack Data Breach

Type

Incident

Actors

❓Unknown

Pub. date

November 9, 2014

Initial access

1-day vulnerability

Impact

Data exfiltration

Observed techniques

Credential theftVulnerability exploitation

References

https://web.archive.org/web/20141220062119/http://www.browserstack.com:80/attack-and-downtime-on-9-November

Status

Stub

Last edited

Nov 4, 2024 2:46 PM

On November 9, 2014, BrowserStack suffered a breach when a hacker accessed an old, unpatched prototype server via the shellshock vulnerability. The server contained AWS credentials, allowing the attacker to create an instance, access a backup, and partially copy user data (email addresses, hashed passwords, and test URLs). This intrusion triggered alerts, leading BrowserStack to quickly block the attacker.

The hacker emailed fewer than 1% of users, spreading false claims about BrowserStack's shutdown. BrowserStack verified that no sensitive data, such as full credit card details, was compromised, as these details are handled by an external processor. Additionally, they confirmed that no other systems were breached.

In response, BrowserStack immediately revoked AWS keys, implemented encrypted backups, added new security checks, and initiated a third-party security audit.