On November 9, 2014, BrowserStack suffered a breach when a hacker accessed an old, unpatched prototype server via the shellshock vulnerability. The server contained AWS credentials, allowing the attacker to create an instance, access a backup, and partially copy user data (email addresses, hashed passwords, and test URLs). This intrusion triggered alerts, leading BrowserStack to quickly block the attacker.
The hacker emailed fewer than 1% of users, spreading false claims about BrowserStack's shutdown. BrowserStack verified that no sensitive data, such as full credit card details, was compromised, as these details are handled by an external processor. Additionally, they confirmed that no other systems were breached.
In response, BrowserStack immediately revoked AWS keys, implemented encrypted backups, added new security checks, and initiated a third-party security audit.