Full Report
Great idea, guys. Let's keep all of the data in an Excel file with weak password protection
Analysis Summary
# Incident Report: Fintech Startup Root Credential Exposure via Spreadsheet
## Executive Summary
During a strategic audit of a fintech startup, a consultant discovered root database credentials and master AWS IAM keys stored in a weakly encrypted Excel spreadsheet. The file was resides on a company-wide SharePoint site accessible to all employees and contractors, stemming from a dispute between teams over password management software. No data breach was reported, but the exposure created a high-risk vulnerability for the organization's entire cloud infrastructure.
## Incident Details
- **Discovery Date:** Approximately April 2026 (Audit period)
- **Incident Date:** Persistence of file for 8 months prior to discovery
- **Affected Organization:** Unnamed Fintech Startup (referenced as "Contoso" for example)
- **Sector:** Fintech / Software Development
- **Geography:** Undisclosed
## Timeline of Events
### Initial Access
- **Date/Time:** 8 months prior to audit.
- **Vector:** Internal misconfiguration/Policy violation.
- **Details:** The internal DevOps team and external DBA contractors could not agree on a password manager. To facilitate "temporary" handoffs, they uploaded a spreadsheet to a shared SharePoint directory.
### Lateral Movement
- **Details:** Not applicable in a traditional attack sense; however, the placement of the file in the "DevOps_Handoff" folder on the company-wide intranet allowed any authenticated user on the corporate network to access the directory.
### Data Exfiltration/Impact
- **Details:** No malicious exfiltration was confirmed; however, the file contained:
- Root Database credentials.
- Master AWS IAM keys.
### Detection & Response
- **How it was discovered:** Discovered by Stanislav Kazanov (Innowise) during a compliance and data architecture audit.
- **Response actions taken:** Identified the vulnerability to leadership; the issue was presumably remediated by transitioning to a secure secret management system following the audit intervention.
## Attack Methodology
- **Initial Access:** Valid accounts (any employee/contractor credentials).
- **Persistence:** The file remained active for eight months due to a lack of file-integrity monitoring or directory auditing.
- **Privilege Escalation:** Possession of the spreadsheet granted Administrative/Root access to cloud infrastructure (AWS) and production databases.
- **Defense Evasion:** Used a "password-protected" Excel file (weak encryption). Filename was `Prod_DB_Root_Creds_DO_NOT_SHARE.xlsx`.
- **Credential Access:** Weak password guessing (Password: `[Company Name] + [Year]`).
- **Discovery:** Browseable SharePoint directories.
- **Collection:** Centralized storage of various high-value secrets in a single `.xlsx` file.
- **Impact:** Potential for total loss of data integrity, confidentiality, and availability of the fintech platform.
## Impact Assessment
- **Financial:** High potential risk. The startup had a $1M+ security investment; a breach of these keys could have compromised millions in assets.
- **Data Breach:** Exposure of master keys that control the entire production environment.
- **Operational:** A malicious actor could have deleted the entire AWS infrastructure using the stored IAM keys.
- **Reputational:** High. A fintech firm failing to secure root credentials undermines customer trust in their "military-grade" security claims.
## Indicators of Compromise
- **Network indicators:** N/A (Internal discovery).
- **File indicators:** `Prod_DB_Root_Creds_DO_NOT_SHARE.xlsx`
- **Behavioral indicators:** Excessive or unusual access pings to the "DevOps_Handoff" SharePoint folder by non-DevOps personnel.
## Response Actions
- **Containment measures:** Identification of the exposed file during the audit.
- **Eradication steps:** Deletion of the spreadsheet from the SharePoint environment.
- **Recovery actions:** Rotation of all compromised Root DB credentials and AWS IAM Master keys.
## Lessons Learned
- **Shadow IT/Workarounds:** Disagreements between teams over tooling often lead to insecure "temporary" workarounds that become permanent.
- **Security Theater:** Physical security and biometric MFA are useless if administrative keys are stored in plaintext (or weakly encrypted files) on a shared drive.
- **The "Temporary" Trap:** "Temporary" fixes in DevOps frequently persist for months, becoming significant security debts.
## Recommendations
- **Secret Management:** Mandate the use of a unified Secret Management Vault (e.g., HashiCorp Vault, AWS Secrets Manager) and prohibit the storage of credentials in documents.
- **Least Privilege:** Implement strict RBAC (Role-Based Access Control) on SharePoint and intranet directories.
- **Credential Rotation:** Implement automated rotation for IAM keys and database passwords to limit the lifespan of leaked credentials.
- **Audit Logging:** Enable logging and alerting for SharePoint files containing keywords like "Root," "Creds," or "Password."