What Happened
On September 9, 2020, ShopBack, an online cashback portal, suffered a data breach when a malicious threat actor accessed its Amazon Web Services (AWS) environment using an administrative access key that had been inadvertently committed to a GitHub repository by a senior employee on June 4, 2019. Although the key was removed from GitHub two days later, it remained visible in the platform’s commit history, and a subsequent failed key rotation on June 21, 2019 left the compromised key active for approximately 15 months. The attacker extracted personal data from approximately 1.45 million users, including email addresses, 840,000 names, 447,000 mobile numbers, 300,000 bank account numbers, and partial credit card information for 380,000 users. ShopBack discovered the breach on September 17, 2020 during a routine security review, and the stolen database was subsequently offered for sale on Raidforums in November 2020. In August 2023, Singapore’s Personal Data Protection Commission (PDPC) fined ShopBack SG$74,400 for failing to implement sufficiently robust processes to manage AWS keys and for not conducting periodic security reviews that could have detected the key’s continued activity.
