Cyber Incident Victim: Algolia
Date:
May 2020
Location:
France
Summary
A search provider experienced a security breach exploiting Salt vulnerabilities (CVE-2020-11651 and CVE-2020-11652), allowing attackers to install a backdoor and cryptocurrency miner on a small number of servers. The incident was detected promptly through server alerts, enabling engineers to remove malware, shut down affected systems, and restore services with minimal customer impact, as most downtimes lasted under 10 minutes. Analysis confirmed the attack's sole intent was cryptocurrency mining without data compromise. This event was part of a broader campaign by the Kinsing botnet targeting unpatched Salt systems across multiple organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 3, 2020, at 3:12 am Paris time, Algolia experienced a security breach impacting its search infrastructure. The attackers exploited two critical vulnerabilities in Salt—CVE-2020-11651 (authentication bypass) and CVE-2020-11652 (directory traversal)—to compromise servers. These flaws enabled unauthorized access to Algolia’s systems, where the threat actors deployed a backdoor and cryptocurrency mining malware. The company detected the intrusion almost immediately through automated server alerts indicating search and indexing service disruptions for multiple customers. Engineering teams responded by isolating affected servers, removing malicious payloads, and restoring services. Of Algolia’s 700+ server clusters, 15 (approximately 2%) experienced search downtime exceeding five minutes, while six clusters (less than 1%) suffered outages lasting over ten minutes. Service was fully restored within hours, with no evidence of data theft, alteration, or destruction. Julien Lemoine, Algolia’s Co-founder and CTO, confirmed the attackers’ sole objective was cryptocurrency mining based on malware payload analysis.
The incident was part of a broader campaign attributed to the Kinsing cryptocurrency mining botnet, which simultaneously targeted organizations including LineageOS, Ghost, Digicert, and Xen Orchestra using the same Salt vulnerabilities. SaltStack had issued patches for these flaws days prior to the attacks, following their disclosure by F-Secure, which had identified over 6,000 internet-exposed Salt master servers at risk. Security researchers subsequently backported fixes to end-of-life Salt versions and released detection scripts to verify patch compliance. Algolia’s post-mortem emphasized the operational focus of the attack, noting no significant disruption to core search functionalities or customer data integrity. The company’s rapid containment limited widespread impact, though the event underscored systemic risks associated with unpatched Salt implementations in enterprise environments.