Customer FAQ — May 12, 2023

  • 12 May 2023
  • 0 replies

Userlevel 6
Badge +9
  • What happened? 
    • As part of our vulnerability management program, we recently discovered an Amplitude image that was accidentally made publicly available on DockerHub. Through our investigation, we confirmed that the image included credentials for some third-party integrations, Redshift, and Snowflake for the Amplitude query add-on for certain Amplitude customers. Amplitude removed the image from public access within one hour of the discovery. At this time, there is no evidence that the credentials have been used maliciously. 
  • How do I know if I was impacted?
    • If your organization was impacted, your organization’s Amplitude admins were notified via email on Friday, May 12, 2023. If your admins did not receive an email, your organization was not impacted and no action is required. 
  • What actions am I supposed to take?
    • Please refer back to the notification email your organization's Amplitude admins received. We've outlined the specific actions your organization needs to take there.
  • When was the DockerHub image discovered? 
    • The Docker image was discovered on the evening of April 20, 2023. We immediately made the image private and began our investigation to understand and confirm what the image contained and who was impacted. 
  • How did this happen?
    • During a June 2022 Amplitude hack-a-thon, the image was manually created and pushed to DockerHub under a specific user. This bypassed our build processes and controls and was in violation of our policies. 
  • How long was the DockerHub image publicly accessible? 
    • The Docker image in question was uploaded on June 9, 2022 and has not been updated since. After discovering the image, we removed it from public access within one hour. At this time, there is no evidence that the credentials have been used maliciously. 
  • What detection challenges did you face?
    • All of Amplitude's internal images are supposed to be published privately in our active space on DockerHub. However, during a hack-a-thon an Amplitude engineer accidentally  published the image into a separate space that we do not actively use. Because this does not follow our standard practices, it increased our time to detect the image being public.   
  • How do we know this information hasn’t been accessed or used maliciously? 
    • In addition to our own assessment, we have worked with both DockerHub and a third-party forensics firm to investigate. While we cannot guarantee the information wasn't accessed, we have not found any evidence of malicious activity.
  • What steps is Amplitude taking to prevent something like this from happening again? 
    • Amplitude is improving internal practices and enhancing our controls to help prevent an incident like this from happening again. We’ve updated our monitoring of DockerHub to include all spaces associated with Amplitude. We are also in the process of moving away from DockerHub to a solution that provides controls that allow us to restrict publishing public images.
  • If I have additional questions, who do I contact?
    • Please fill out a request form on using the subject line "Question about Amplitude Incident Notice." We'll get back to you as soon as possible!

0 replies

Be the first to reply!