Attackers Exploit Public .env Files to Breach Cloud Accounts in Extortion Campaign

A large-scale extortion campaign has exploited environment variable files (.env) that contained credentials for cloud and social media apps, leading to compromises in various organizations. The operation targeted Amazon Web Services (AWS) of infected business spaces, scanning over 230 million unique targets for sensitive information. More than 100k domains were attacked, gathering over 90k unique .env files variables, including access to 7k organization’s cloud services and 1.5k social media accounts. The actions didn’t exploit cloud vulnerabilities but accidentally exposed .env files in unsecured web applications.