{"UUID":"dca56c0e-0148-416a-bed5-0b43fe7ce3d5","URL":"https://www.browserstack.com/attack-and-downtime-on-9-November","ArchiveURL":"","Title":"BrowserStack security incident due to Shellshock vulnerability on prototype machine","StartTime":"2014-11-09T23:30:00Z","EndTime":"2014-11-10T00:00:00Z","Categories":["automation","cloud","security"],"Keywords":["shellshock","security","breach","aws","prototype","email","data","vulnerability"],"Company":"BrowserStack","Product":"","SourcePublishedAt":"2014-11-10T00:00:00Z","SourceFetchedAt":"2026-05-04T17:54:15.237662Z","Summary":"An old prototype machine with the [Shellshock](https://en.wikipedia.org/wiki/Shellshock_(software_bug)) vulnerability still active had secret keys on it which ultimately led to a security breach of the Production system.","Description":"On November 9, 2014, at 23:30 GMT, BrowserStack experienced a security incident. An attacker exploited a Shellshock vulnerability on an old, unpatched prototype machine that had been running since before 2012 and was no longer in active use. This machine contained AWS API access keys and secret keys, which the attacker used to gain further access.\n\nThe root cause was the failure to patch and properly decommission an inactive legacy server. After gaining initial access via Shellshock, the attacker created an IAM user, generated a key-pair, and ran an instance within BrowserStack's AWS account. They then mounted a backup disk of a production component service, which contained a configuration file with a database password. The attacker also whitelisted their IP on the database security group.\n\nThe attacker began copying a database table containing partial user information, including email IDs, hashed passwords, and last tested URLs. This copy operation locked the database table, triggering alerts. While the attacker was blocked quickly, a portion of this data was retrieved. Subsequently, the attacker used SES credentials to send a misleading email to less than 1% (estimated 5,000) of registered users. The service was temporarily taken down for several hours to protect users, causing inconvenience. Crucially, no credit card data, customer source code, or test history was compromised, and user passwords were securely hashed with bcrypt.\n\nIn response, BrowserStack immediately revoked all existing AWS keys and passwords and generated new ones. They conducted thorough log reviews (SSH, web server, AWS CloudTrail) to confirm no further damage. Remediation steps included migrating all backups to encrypted storage, implementing additional AWS action checks and alerts, and creating new VM snapshots. The company also planned to evaluate VPC/VPN options and conduct an external security audit to prevent future incidents."}