logo

Cloud Bucket Hijacking Technique Lets Attackers Reroute Logs and Sensitive Data

ID: b5c791a7-b4dd-5ad6-983a-bbff5805ebc6

STIX ID: report--b5c791a7-b4dd-5ad6-983a-bbff5805ebc6

Feed Name: Cyber Press

Threat Score
70/100

Date Published: 2026-06-27

Date Updated: 2026-06-27

Author: Lucas Martin

...
...

Unit 42 researchers describe a cross-cloud “bucket hijacking” technique that leverages globally unique bucket names: an attacker with delete permissions can remove a target bucket and immediately recreate it under their account, causing existing logging sinks, replication pipelines, and transfer jobs to continue delivering sensitive data to the attacker. The report demonstrates successful simulations on Google Cloud (logging sinks, Pub/Sub, Storage Transfer), AWS (S3 replication, Firehose), and an Azure cross-subscription variant, warns that common admin roles grant the needed delete permissions, and recommends least-privilege controls, monitoring of bucket deletions, and provider-specific mitigations to prevent silent exfiltration.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.