Sumo Logic confirms data breach after hackers used stolen credentials to access its AWS account

Hackers claimed another casualty this week as data analytics and security firm Sumo Logic becomes the latest victim of a data breach. The company confirmed it suffered a security breach and urged users to rotate their API keys after discovering that its AWS (Amazon Web Services) account was compromised last week.

In a statement on Wednesday, Sumo Logic said it detected evidence that a threat actor used stolen credentials to access the company’s Amazon Web Services (AWS) account. However, Sumo Logic says its systems and networks weren’t impacted during the breach and that “customer data has been and remains encrypted.”

“Immediately upon detection we locked down the exposed infrastructure and rotated every potentially exposed credential for our infrastructure out of an abundance of caution,” the company said. “We are continuing to thoroughly investigate the origin and extent of this incident. We have identified the potentially exposed credentials and have added extra security measures to further protect our systems.”

“As an outcome of our ongoing investigation, we are reducing the scope of the additional precautionary measures mentioned in our November 7th message,” Sumo Logic said in a message on November 8.

The company said it’s stepping up its monitoring efforts and addressing potential vulnerabilities to prevent similar incidents down the line. Additionally, we’re keeping a close eye on network and system logs to catch any signs of further malicious activity.

We first covered Sumo Logic in 2019 after the cloud-based machine data analytics platform startup closed a $110 million funding round led by Battery Ventures, with participation from Tiger Global Management and Franklin Templeton. In May of this year, Sumo Logic was acquired by private equity firm Francisco Partners for a hefty $1.7 billion. Among its clientele, you’ll find a slew of tech giants such as Samsung, Okta, SAP, F5, Airbnb, SEGA, 23andme, Toyota, and more.

Founded in April 2010 by ArcSight veterans Kumar Saurabh and Christian Beedgen, the Redwood City, California-based Sumo Logic is the world’s leading platform for DevSecOps. More than 1,600 enterprises around the world rely on Sumo Logic to collaborate, develop, operate, and secure their applications at a cloud scale. Sumo Logic is a secure, cloud-native, machine data analytics service, delivers real-time, continuous intelligence from structured, semi-structured, and unstructured data across the entire application lifecycle and stack.

Below is the message Sumo Logic sent to its customers.

November 7, 2023

To Our Valued Customers:

At Sumo Logic, ensuring the security and reliability of our customers’ digital experience is our top priority. We have always placed great emphasis on protecting our customers against threats, and we understand and deeply value the trust our customers place in us.

To that end, we are writing to notify you, as a precautionary measure, of a possible security incident within our platform.

WHAT HAPPENED:

On Friday, November 3rd, 2023, Sumo Logic discovered evidence of a potential security incident. The activity identified used a compromised credential to access a Sumo Logic AWS account. We have not at this time discovered any impacts to our networks or systems, and customer data has been and remains encrypted.

WHAT HAVE WE DONE:

Immediately upon detection we locked down the exposed infrastructure and rotated every potentially exposed credential for our infrastructure out of an abundance of caution. We are continuing to thoroughly investigate the origin and extent of this incident. We have identified the potentially exposed credentials and have added extra security measures to further protect our systems. This includes improved monitoring and fixing any possible gaps to prevent any similar events and we are continuing to monitor our logs to look for further signs of malicious activity. We have taken actions to stop the threat to our infrastructure and are advising customers to rotate their credentials.

WHAT SHOULD YOU DO:

We recommend that customers rotate credentials that are either used to access Sumo Logic or that you have provided to Sumo Logic to access other systems. Specifically:

What we advise you rotate immediately:

• Sumo Logic API access keys (If you need assistance with this, please contact Sumo Support at https://support.sumologic.com/support/s/)

What you could also rotate as an additional precautionary measure:

• Sumo Logic installed collector credentials

• Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access)

• Third-party credentials that have been stored with Sumo as part of webhook connection configuration

• User passwords to Sumo Logic accounts

If you have questions about steps to take, please do not hesitate to contact our customer support team at https://support.sumologic.com/support/s/

WHAT HAPPENS NEXT:

While the investigation into this incident is ongoing, we remain committed to doing everything we can to promote a safe and secure digital experience.

We will directly notify customers if evidence of malicious access to their Sumo Logic accounts is found. Customers may find updates at our Security Response Center.

Your security remains our top priority and we want to reiterate how much we value you putting your trust in us. Thank you for your understanding through this process.