Incident retrospectives
Public breach retrospectives with root causes and lessons. Updated when material new incidents become public. Written in plain English, not PR.
Moltbook — 1.5M API keys exposed via Supabase misconfiguration
An AI-agent platform shipped a Supabase table with RLS disabled. 1.5 million API keys, 35,000 emails, and 4,060 private messages were reachable via anonymous HTTP requests for 72 hours.
SaaStr production database wiped by Replit Agent
A Replit Agent interpreting ambiguous instructions executed a destructive SQL command on SaaStr's production database. No data was recoverable from the operation itself; backups saved the company.
Lovable — VibeScamming prompt-injection backdoor
Guardio Labs disclosed a prompt-injection chain that tricked Lovable's AI into generating backdoored code. Attackers could supply crafted prompts that resulted in compromised apps shipping to production.
Amazon.com — 6-hour outage from AI-assisted deploy
An AI-assisted code deploy at Amazon triggered a regression that took Amazon.com offline for approximately six hours. An estimated 6.3 million orders were lost during the window.
XZ Utils backdoor — three years of social-engineering supply chain attack
A multi-year social-engineering campaign installed a backdoor in xz-utils, a compression library used indirectly by OpenSSH on most Linux systems. Discovery was accidental — a Microsoft engineer noticed a 500ms SSH connection delay.
Log4Shell — the single most impactful CVE of the decade
CVE-2021-44228: A remote code execution in Log4j's JNDI lookup allowed attackers to execute arbitrary code by logging a crafted string. The library was transitively used by millions of Java apps; the disclosure triggered the largest coordinated emergency response in AppSec history.
event-stream npm — maintainer takeover supply-chain attack
A legitimate npm maintainer gave control of the popular `event-stream` package to a stranger who asked politely. The new maintainer added a cryptocurrency-stealing backdoor targeted at the Copay Bitcoin wallet.
Colonial Pipeline — leaked VPN password halts East Coast fuel supply
A single compromised VPN password — reused from a separate breach and not protected by MFA — gave the DarkSide ransomware group access to Colonial Pipeline's network. The pipeline shut down, causing fuel shortages across the US East Coast.
Arup — $25M stolen via deepfake CFO video call
An Arup employee in Hong Kong was convinced to send $25M across 15 transactions by a video conference in which attackers deepfaked the CFO and multiple colleagues in real time.
Okta — stolen service account token → support-system compromise
A leaked service account credential (a Google account used by an Okta employee) gave attackers access to Okta's support case-management system. Customer HAR files with session tokens were accessed, enabling downstream compromise of Okta's customers.
MOVEit — single SQL injection → hundreds of downstream breaches
CVE-2023-34362: A SQL injection in MOVEit Transfer, a widely-deployed file-transfer product, was exploited by Cl0p ransomware to compromise hundreds of organizations — exfiltrating data from government, finance, and healthcare sectors.
CVE-2025-29927 — Next.js middleware bypass mass exploitation
A 9.1-CVSS Next.js middleware-bypass vulnerability was disclosed and patched on the same day. Vercel-hosted apps were patched automatically; self-hosted Next.js apps became target-of-the-week. One year later, 40% are still vulnerable.