Sumo Logic describes themselves as providing best-in-class cloud monitoring, log management, Cloud SIEM tools, and real-time insights for web and SaaS based apps. On November 7, they posted a notice on their website that they identify as “a possible security incident within our platform.”
According to their notice, Sumo Logic discovered evidence of a potential security incident on November 3.
“The activity identified used a compromised credential to access a Sumo Logic AWS account. We have not at this time discovered any impacts to our networks or systems, and customer data has been and remains encrypted.”
In response, they immediately locked down the exposed infrastructure and rotated every potentially exposed credential for our infrastructure out of an abundance of caution.
“We are continuing to thoroughly investigate the origin and extent of this incident. We have identified the potentially exposed credentials and have added extra security measures to further protect our systems. This includes improved monitoring and fixing any possible gaps to prevent any similar events and we are continuing to monitor our logs to look for further signs of malicious activity. We have taken actions to stop the threat to our infrastructure and are advising customers to rotate their credentials.”
Customers are advised to immediately rotate Sumo Logic API access keys. Customers may also wish to rotate:
Sumo Logic installed collector credentials
Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access)
Third-party credentials that have been stored with Sumo as part of webhook connection configuration
User passwords to Sumo Logic accounts
More details on this and contact information for support are provided in their notice.