Cloud security must be threat-informed. This repository compiles public data on security incidents impacting AWS customers, to guide prioritized security investment.
This repository seeks to index all publicly disclosed AWS customer security incidents with a known root cause.
It will exclude incidents involving exposed data stores (e.g S3 bucket leaks, exposed managed or hosted databases). Those incidents are already well understood, and examples can be found cataloged in places like nagwww's s3-leaks repo, upguard's reports, hackmeggedon's annual rollup reports (2022) and Corey Quinn's LWIAWS S3 Bucket Negligence Award.
This repository is in no way intended as a criticism of the listed companies. In the spirit of blameless postmortems 1, our goal is to learn from incidents without an atmosphere of blame.
A repository of breaches of AWS customers
| Name | Date | Root Cause | Escalation Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| Uber | 2014, May | Github Gist (data analysis script) with AWS credentials | N/A | 50,000 records, including names and driver’s licenses from S3 hosted database prunes | Exclusive: In lawsuit over hacking, Uber probes IP address assigned to Lyft exec - sources , A blameless post-mortem of USA v. Joseph Sullivan |
| Code Spaces | 2014, June | AWS Console Credentials (Phishing?) | Attacker created additional accounts/access keys | Wiped S3 buckets, EC2 instances, AMIs, EBS snapshots | Hacker puts code spaces out of business |
| BrowserStack | 2014, November | Shellshock on exposed, outdated prototype machine | Access keys on server, used to create IAM user, create EC2, and mount backup | Steal user data and email users | BrowserStack analysis |
| DNC Hack by the GRU | 2016, June | Unknown, test clusters breached | EC2 Snapshots copied to attacker AWS accounts | Tableau and Vertica Queries | DEMOCRATIC NATIONAL COMMITTEE v. THE RUSSIAN FEDERATION |
| DataDog | 2016, July | CI/CD AWS access key and SSH private key leaked | Attacker attempted to pivot with customer credentials | 3 EC2 instances and subset of S3 buckets | 2016-07-08 Security Notice |
| Uber | 2016, October | ~13 Hacked Uber credentials purchased for forum gave access to private Github Repo with AWS credentials | N/A | Names and driver’s license numbers of 600k drivers, PII of 57 million users in unencrypted manual backup | Uber concealed cyberattack ..., A blameless post-mortem of USA v. Joseph Sullivan |
| Lynda.com | 2016, December | Private Github Repo with AWS credentials | N/A | User data for 9.5m users, attempted extortion | 2 Plead Guilty in 2016 Uber and Lynda.com Hacks |
| OneLogin | 2017, May | AWS keys | Created EC2 instances | Accessed database tables (with encrypted data) | May 31, 2017 Security Incident |
| Politifact | 2017, October | "Misconfigured cloud computing server" | N/A | Coinhive cryptojacking | Hackers have turned Politifact’s website into a trap for your PC |
| Dataspline | 2017, Unknown | Monero miner in container base image dependency | N/A | Monero cryptojacking | LinkedIn post from co-founder |
| DXC Technologies | 2017, November | Private AWS key exposed via Github | 244 EC2 instance started | Cryptomining | DXC spills AWS private keys on public GitHub |
| Drizly | 2018 | AWS Credentials committed to public github repo | N/A | Cryptojacking | FEDERAL TRADE COMMISSION - Drizly Complaint |
| LA Times | 2018, February | S3 global write access | N/A | Cryptojacking | Coinhive cryptojacking added to homicide.latimes.com |
| Tesla | 2018, February | Globally exposed Kubernetes console, Pod with AWS credentials | N/A | Cryptojacking | Hack Brief: Hackers Enlisted Tesla's Public Cloud to Mine Cryptocurrency |
| Chegg | 2018, April | Former contractor abuses broadly shared root credential | Unknown | 40 million users' data (from S3 bucket) | FTC Complaint |
| imToken | 2018, June | Email account compromise | Reset AWS account password | Minimal customer device data | Disclosure of Security Incidents on imToken |
| Voova | 2019, March | Stolen credentials by former employee | N/A | Deleted 23 servers | Sacked IT guy annihilates 23 of his ex-employer’s AWS servers |
| Capital One | 2019, April | "Misconfigured WAF" that allowed for a SSRF attack | Over-privileged EC2 Role | 100 million credit applications | A Technical Analysis of the Capital One Cloud Misconfiguration Breach |
| JW Player | 2019, September | Weave Scope (publicly exposed), RCE by design | N/A | Cryptojacking | How A Cryptocurrency Miner Made Its Way onto Our Internal Kubernetes Clusters |
| Malindo Air | 2019, September | Former employee insider threat | N/A | 35 million PII records | Malindo Air: Data Breach Was Inside Job |
| Imperva | 2019, October | “Internal compute instance” globally accessible, “Contained” AWS API key | N/A | RDS snapshot stolen | Imperva Security Update |
| Cameo | 2020, February | Credentials in mobile app package | N/A | Access to backend infrastructure, including user data | Celeb Shout-Out App Cameo Exposes Private Videos and User Data |
| Open Exchange Rates | 2020, March | Third-party compromise exposing access key | N/A | User database | Exchange rate service’s customer details hacked via AWS |
| First Republic Bank | 2020, March | Fired employee incompletely offboarded | N/A | System interruption | First Republic Bank |
| Live Auctioneers | 2020, July | Compromised third party software granting access to cloud environment | N/A | User database, including MD5 hashed credentials | Washington State OAG - Live Auctioneers |
| Twilio | 2020, July | S3 global write access | N/A | Magecart2 | Incident Report: TaskRouter JS SDK Security Incident |
| Natures Basket responsible disclosure | 2020, July | Hard-coded root keys in source code exposed via public S3 bucket | N/A | N/A | GotRoot! AWS root Account Takeover |
| Drizly | 2020, July | Inactive Github account compromised via reused password, granting AWS credential access in source code | N/A | RDS Instance with 2.5 million users data exfiltrated | FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers |
| Cryptomining AMI | 2020, August | Windows 2008 Server Community AMI | N/A | Monero miner | Cryptominer Found Embedded in AWS Community AMI |
| Animal Jam | 2020, November | Slack compromise exposes AWS credentials | N/A | User database | Kids' gaming website Animal Jam breached |
| Cisco | 2020, December | Former employee with AWS access 5 months post-resignation | N/A | Deleted ~450 EC2 instances | Former Cisco engineer sentenced to prison |
| Juspay | 2021, January | Compromised old, unrecycled Amazon Web Services (AWS) access key | N/A | Masked card data, email IDs and phone numbers | Data from August Breach of Amazon Partner Juspay Dumped Online |
| 20/20 Eye Care Network and Hearing Care Network | 2021, January | Compromised credential | N/A | S3 buckets accessed then deleted | 20/20 Eye Care Network and Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets |
| Sendtech | 2021, February | (Current or former employee) Compromised credentials | Created additional admin account | Accessed customer data in S3 | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2102-B7884 |
| LogicGate | 2021, April | Compromised credentials | N/A | Backup files in S3 stolen | Risk startup LogicGate confirms data breach |
| Ubiquiti | 2021, April | Compromised credentials from IT employee Lastpass (alleged former employee insider threat) | N/A | root administrator access to all AWS accounts, extortion | Ubiquiti All But Confirms Breach Response Iniquity |
| Uran Company | 2021, July | Compromised Drupal with API keys | N/A | Cryptomining | Clear and Uncommon Story About Overcoming Issues With AWS |
| reddoorz.com | 2021, September | Access Key leaked via APK | N/A | Customer database stolen | PERSONAL DATA PROTECTION COMMISSION Case No. DP-2009-B7057 |
| HPE Aruba | 2021, October | Unknown exposure of Access Key | N/A | Potential access to network telemetry and contact trace data | Aruba Central Security Incident |
| Kaspersky | 2021, November | Compromised SES token from third party | N/A | Phishing attacks | Kaspersky's stolen Amazon SES token used in Office 365 phishing |
| Eye Care Leaders | 2021, December | Unknown | Unknown | deleted databases and system configuration files, potential theft of 1.5M patient records | Augusta University Health - Breach Disclosure [PDF] |
| Onus | 2021, December | Log4Shell vulnerability in Cyclos server | AmazonS3FullAccess creds (and DB creds) in Cyclos config | 2 million ONUS users’ information including EKYC data, personal information, and password hash was leaked. | The attack on ONUS – A real-life case of the Log4Shell vulnerability |
| Flexbooker | 2021, December | Unknown | Unknown | 3.7M first and last names, email addresses, phone numbers, "encrypted" passwords | Booking management platform FlexBooker leaks 3.7 million user records |
| npm | 2022, April | Third party OAuth token compromise granting private repository access, containing AWS keys | Unknown | 100k users data (from 2015) | npm security update: Attack campaign using stolen OAuth tokens |
| PREMINT | 2022, July | S3 global write access | Unknown | NFT Theft (supply chain) | Full Analysis of the PREMINT Attack Incident |
| Uber | 2022, September | Contractor account compromise leading to AWS credential discovery on a shared drive | Unknown | N/A | Uber - Security update |
| Lastpass | 2022, October | Stole source code and accessed development environment via compromised developer account (an IAM User) | Unknown pivot point into production environment. Later compromise of a privileged engineer's personal machine to gain access to decryption keys for stolen data | Internal and customer data broadly compromised, including backups of MFA database | Notice of Recent Security Incident,Incident 2 – Additional details of the attack, Breaking the Vault: A Case Study of the 2022 LastPass Data Breach |
| Medibank | 2022, October | Compromised credentials | Unknown | Data exfiltration from Redshift / "Ransomware" | Medibank now says hackers accessed all its customers’ personal data, Amazon Redshift gets new default settings to prevent data breaches |
| Sonder | 2022, November | Unknown | Unknown | Theft of customer information, attempted extortion | Security Update, Breach Notification |
| Teqtivity (Uber Vendor) | 2022, December | Unknown | Unknown | "AWS backup server" with device and user information | Breach Notification Statement, Uber suffers new data breach after attack on vendor, info leaked online |
| CommuteAir | 2023, January | Publicly Exposed Jenkins with hardcoded credentials | N/A | 2019 FAA No Fly List | how to completely own an airline in 3 easy steps, U.S. airline accidentally exposes ‘No Fly List’ on unsecured server |
| Cloudflare | 2023, November | Pivot from Okta compromise due to un-rotated access token | N/A | N/A | Cloudflare - Thanksgiving 2023 security incident |
| Sisense | 2024, April | Credentials stolen from Gitlab repository | N/A | Terabytes of customer data exfiltrated from S3 | Why CISA is Warning CISOs About a Breach at Sisense |
| pcTattletale | 2024, May | Application vulnerability disclosed root AWS keys |
N/A | Data published publicly | Spyware app pcTattletale was hacked and its website defaced, defaced site |
| BeyondTrust | 2024, December | 0day vulnerability in a 3p application | infrastructure API key to pivot cross-account | Customer Instances compromised | BeyondTrust Remote Support SaaS Service Security Investigation |
| TinaCloud | 2024, December | Credentials leaked in JS file | N/A | SES abuse for phishing | TinaCloud: Public Disclosure of Security Breach |
| Otelier | 2025, January | Infostealer | Credentials found in Bitbucket | 8TB of data exfiltrated from S3 | Otelier data breach exposes info, hotel reservations of millions |
| Bybit / Safe{Wallet} | 2025, February | Compromised developer machine | Malicious JavaScript via S3 bucket write access | $1.5 Billion dollars stolen | Bybit Interim Investigation Reports |
| AngelOne | 2025, March | Unknown | N/A | Data exfiltration | Indian Stock Broker Angel One Discloses Data Breach |
| Pearson | 2025, March | Exposed GitLab token in .git/config |
AWS credentials in source code | Data exfiltration | Education giant Pearson hit by cyberattack exposing customer data |
| KiranaPro | 2025, June | Former employee, post layoff | N/A | Service disruption | Indian grocery startup KiranaPro was hacked and its servers deleted, CEO confirms, KiranaPro Crisis Explained: Ex-Employee’s Revenge Move that Paralysed the App |
| Report | Date | Root Cause | Escalation or Peristence Vector(s) | Impact | Link to details |
|---|---|---|---|---|---|
| Mandiant M-Trends 2020 | 2020, February | Credentials stolen from GitHub repository commit history | Takes snapshot of EBS volumes, creates EC2 instances, exfiltrates data over SSH | Stolen EBS volumes | M-Trends 2020 |
| TeamTNT Worm | 2020, April | Misconfigured Docker & k8s platforms | Steals AWS credentials from ~/.aws/* | Cryptojacking for Monero | Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials, TeamTNT with new campaign aka “Chimaera” |
| Expel case study 1 | 2020, April | 8 IAM access keys compromised | Backdoored security groups | Command line access to EC2 instances | Finding evil in AWS: A key pair to remember |
| Expel case study 2 | 2020, July | Root IAM user access keycompromised | SSH keys generated for EC2 instances | Cryptojacking | Behind the scenes in the Expel SOC: Alert-to-fix in AWS |
| Mandiant: Insider Threat Scenario | 2020, September | Fired employee uses credentials | Access CI/CD server, create a new user, steal credentials | Deleted production databases | Cloud Breaches: Case Studies, Best Practices, and Pitfalls |
| FireEye M-Trends 2021 case study | 2021, April | Use of SSH key by former employee | Creates users and EC2 instances | Deleted RDS backups | M-Trends 2021 |
| DarkLab case study | 2021, July | Jenkins RCE | Create IAM users, use S3 Browser tool | Use environment to launch scanning, nuked account | Trouble in Paradise |
| Expel case study 3 | 2022, April | Credentials in publicly available code repository | AttachUserPolicy used for privesc | Cryptojacking (prevented) | Incident report: From CLI to console, chasing an attacker in AWS |
| Permiso case study 1 | 2022, June | Gitlab vulnerability (CVE-2021-22205) | Credentials on the system found, used to create a backup user | Cryptojacking | Anatomy of an Attack: Exposed keys to Crypto Mining |
| Clearvector case study | 2022, August | ADFS pivot into IAM Identity Center | N/A | N/A | Auditing identity activity for NOBELIUM and MagicWeb in AWS |
| Positive Thinking Company case study | 2022, June | Unknown | N/A | Cryptojacking | Mitigating a crypto jacking incident on an AWS machine from the earliest stages |
| Palo Alto Unit 42 | 2022, December | Code execution in Lambda context | Exfiltrate credentials from envvars | SES abuse for phishing | Compromised Cloud Compute Credentials: Case Studies From the Wild |
| Permiso case study 2 | 2022, December | Exploit publicly facing software, mainly Jupyter notebooks or k8s | N/A | Credential Theft | Cloud Cred Harvesting Campaign - Grinch Edition |
| Crowdstrike | 2022, December | Exploit known ForgeRock CVE | aws_consoler used to obtain pivot to console sessions without MFA | N/A | Analysis of an Intrusion Campaign Targeting Telco and BPO Companies |
| Expel case study 4 | 2023, January | Publicly exposed Postman server with access key credentials stored in the project’s variables | N/A | (likely) AWS SES abuse (prevented) | Incident report: stolen AWS access keys |
| Cado Security and Invictus Incident Response | 2023, January | N/A | Responding to an attack in AWS, Part 2 | ||
| AWS | 2023, February | Key disclosure, or SSRF | N/A | N/A | The anatomy of ransomware event targeting data residing in Amazon S3 |
| Sysdig | 2023, February | Exploit public facing k8s service | IAM creds in Lambda env vars and in S3 bucket | Data exfiltration | SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft |
| Invictus IR | 2023, April | exposed long-term credentials | CreateUser | data exfiltration and deletion with ransom note | Ransomware in the cloud |
| Unit 42 | 2023, April | sim-swap grants access to 10 access keys in source code | CreateUser with increased permissions | data exfiltration and deletion with ransom note | From SIM-Swap to Data Leak on the Dark Web |
| Unit 42 | 2023, April | SSRF via known CVE and IMDSv1 | Backdoored IAM role | Cryptojacking, outbound DDOS | From Misconfigured Firewall to Cryptojacking Botnet |
| Mitiga (RSAC) #1 | 2023, April | Company repository w/ AWS keys merged to personal github | N/A | N/A | It’s Getting Real & Hitting the Fan: 2023 Edition |
| Mitiga (RSAC) #2 | 2023, April | Unknown root cause of access key compromise | N/A | Shared AMIs publicly for exfil | It’s Getting Real & Hitting the Fan: 2023 Edition |
| Kroll #1 | 2023, April | Third party compromised | N/A | Redirect DNS and Email | Effective AWS Incident Response: Examples and Recommendations |
| Kroll #2 | 2023, April | Internal network compromised | Lateral movement into cloud, years of persistence | Data Exfiltration | Effective AWS Incident Response: Examples and Recommendations |
| S2W Talon "Donjuji" | 2023, May | Development server with exposed environment variables containing IAM user credentials | N/A | Stole data from S3 | Detailed Analysis of CloudDon, Cloud Data Breach of Korea e-commerce company |
| Checkmarx | 2023, June | S3 bucket serving npm package bignum hijacked | N/A | Credential theft | Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers |
| SentinelOne | 2023, June | CVE-2022-47986 | N/A | N/A | Anatomy of a Cloud Incident | SentinelOne’s Vigilance vs. IceFire Ransomware |
| Sysdig | 2023, July | Exploit public facing Jupyter Notebook in k8s | IAM creds, including via IMDSv2. Privilege escalation via IAM misconfiguration. Access key persistence | Cryptojacking | SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto |
| CrowdStrike | 2023, August | Exploiting RCE in a custom PHP web application | IAM creds, including via IMDS. Lateral movement via SSM | Unknown | 2023 Threat Hunting Report |
| CrowdStrike | 2023, August | web application exploit | attempts to query IMDS and connect laterally | Unknown | 2023 Cloud Risk Report |
| Unit42 | 2023, August | Exploiting SugarCRM zero day | Access keys on EC2 hosts, Pacu + Scoutsuite scanning | DB data exfiltration | When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability |
| AWS | 2023, August | Compromise of federated user via unknown means | Access keys on EC2 hosts, Pacu + Scoutsuite scanning | DB data exfiltration | Two real-life examples of why limiting permissions works: Lessons from AWS CIRT - Story 1: On the hunt for credentials |
| AWS | 2023, August | RCE via unintentionally exposed port in ECS task definition | N/A | Cryptojacking | Two real-life examples of why limiting permissions works: Lessons from AWS CIRT - Story 2: More instances for crypto mining |
| Security Joes | 2023, Sep | Exploited a vulnerable version of MinIO on an AWS EC2 instance via evil_minIO | Network reconnaissance, create windows accounts | Unknown | New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services |
| Unit42 | 2023, Oct | Credentials exposed on Github | Create EC2 instances | Monero Cryptojacking | CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys |
| Reliaquest | 2023, Nov | Spearphishing | Hijacked Citrix VDI | Data theft (lastpass export in S3 bucket) | Scattered Spider Attack Analysis |
| Datadog #1 | 2024, January | Leaked IAM User Key | created administrator IAM user | S3 data exfiltration, attempted cryptomining | Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining |
| Datadog #2 | 2024, January | Leaked IAM User Key | N/A | Cryptomining (via ECS Fargate, XMRig) | Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining |
| Invictus IR | 2024, January | Exposed IAM User (Administrator) Access Key | created administrator IAM user, added access keys for existing users, created externally assumable role | Cryptomining, SES spam/phishing, phishing infrastructure (domains) | The curious case of DangerDev@protonmail.me |
| Stephen Berger (InfoGuardAG) | 2024, February | Unknown | N/A | S3 Ransomware (deleted buckets) | AWS Ransomware |
| Sysdig | 2024, March | Exploited vulnerable Laravel + Wordpress | N/A | Meson CDN cryptomining | Cloud Threats deploying Crypto CDN |
| Datadog | 2024, March | Compromised Credentials | N/A | AWS SNS SMS Phishing | Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns |
| Mandiant | 2024, April | Phishing leads to compromise of credentials in former employee's personal Google Drive | N/A | S3 data exfiltration and "Ransomware" (deleted buckets) | Cloud compromises: Lessons learned from Mandiant investigations in 2023 - Incident Response Case Study #4 |
| Sysdig | 2024, May | Exploited known vulnerable Laravel (CVE-2021-3129) | N/A | LLMJacking | LLMjacking: Stolen Cloud Credentials Used in New AI Attack |
| Lacework | 2024, June | Stolen or compromised credentials | Create new console user | LLMJacking | Detecting AI resource-hijacking with Composite Alerts |
| Datadog | 2024, June | Stolen or compromised credentials | N/A | LLMJacking | Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets |
| Yotam Meitar (Wiz) | 2024, June | Compromised vulnerable application (k8s Pod) | Exploit overprivileged secrets access to retrieve IDP-related credentials | S3 data exfiltration and "Ransomware" | Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study |
| Rapid7 #1 | 2024, July | Compromised credential | Create SES user and KMS key | Data Exfiltration & Distruction | Cloud Attack Paths Unveiled: Lessons Learned from the SOC |
| Rapid7 #2 | 2024, July | Compromised credential in public s3 | Create IAM users with SES access | SES Abuse | Cloud Attack Paths Unveiled: Lessons Learned from the SOC |
| Unit42 | 2024, August | Exposed AWS credentials | N/A | S3 data exfiltration and extortion | Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware |
| Wiz | 2024, September | Infostealer deployed via social engineering | VDP session hijack, RDP to server in cloud, extract AWS access keys | Data exfiltration | Uncovering Hybrid Cloud Attacks Part 2 – The Attack |
| Permiso | 2024, October | Stolen or compromised credentials | N/A | LLMJacking | When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying |
| Datadog | 2024, December | Stolen or compromised credentials | Create new role assumable by attacker account | Targeting SES | Tales from the cloud trenches: Unwanted visitor |
| Wiz | 2024, December | Stolen or compromised credentials | Create new users and access keys | LLMJacking | New Developments in LLM Hijacking Activity |
| Sygnia | 2025, January | Infostealer deployed via social engineering | Lambda PrivEsc to execute commands on EC2 instance | "API calls" to "critical assets" | Sygnia’s 2025 Field Report |
| Expel | 2025, February | Phishing/Smishing compromising Okta identities | N/A | N/A | Expel's 2025 Annual Threat Report - Scattered Spider |
| Badshah | 2025, April | Stolen or compromised credentials | N/A | Exfiltration and deletion | Securing a SaaS Company's AWS Environment After a Breach |
| Mandiant M-Trends 2025 | 2025, April | Stolen or compromised credentials | N/A | Mining, LLMJacking, Resale | M-Trends 2025: TRIPLESTRENGTH Leverages Stolen Credentials for Cloud Assets for Illicit Cryptocurrency Mining |
| Datadog | 2025, March | Leaked credentials | Create Admin IAM Users, Lambda persistence, AWS SSO Persistence | N/A | Tales from the cloud trenches: The Attacker doth persist too much, methinks |
| Darktrace #1 | 2025, July | Compromised credentials | RDP connections to other instances | Data Exfiltration | Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace |
| Darktrace #2 | 2025, July | SonicWall | N/A | Data Exfiltration | Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace |
| Google Cloud Threat Horizons UNC4899 Case | 2025, July | Malware via job opportunity premise | Session cookie theft, CloudFront & S3 JS modification | Cryptocurrency theft | GCAT Threat Horizons H2 2025 |
Postmortem Culture: Learning from Failure
Note: There have been numerous identified incidents of Magecart exploiting S3 Global Write - in one review targeting "well over 17,000 domains"