Sumo Logic discloses potential breach via compromised AWS credential
Cloud-native big data and security analytics firm Sumo Logic is investigating a potential security incident within their platform, the company revealed on Tuesday.
The Sumo Logic incident
“On Friday, November 3rd, 2023, Sumo Logic discovered evidence of a potential security incident. The activity identified used a compromised credential to access a Sumo Logic AWS account,” the company said in its security notice.
“We have not at this time discovered any impacts to our networks or systems, and customer data has been and remains encrypted.”
Upon detecting suspicious activity, the company moved to secure its vulnerable infrastructure, change other potentially compromised credentials, bolster system security measures, and investigate the incident’s source and magnitude.
The investigation is still ongoing, and the company promised to directly notify customers if evidence of malicious access to their Sumo Logic accounts is found.
Recommendations for customers
The company advised customers to immediately rotate Sumo Logic API access keys and, for added security, to rotate:
- Sumo Logic installed collector credentials
- Third-party credentials that have been stored with Sumo for data collection by the hosted collector (e.g., credentials for S3 access) or as part of webhook connection configuration
- User passwords to Sumo Logic accounts.
Sumo Logic was acquired earlier this year by global investment firm Francisco Partners and has recently laid off 79 employees.
UPDATE (November 8, 2023, 10:00 a.m. ET):
Sumo Logic has reduced the scope of the additional precautionary measures they advised customers to take: they should just rotate any third-party credentials that have been stored with Sumo as part of webhook connection configuration.
UPDATE (November 21, 2023, 11:20 a.m. ET):
The company says that they “uncovered no proof of customer data impact and no threat of customer data impact present. These findings were verified by third-party forensic experts and the investigation of this incident is now complete and closed.”
They have provided indicators of compromise (IOCs) and advice on how customers can inspect their own environments for evidence of compromise.