Cyber Incident Victim: Code Spaces
Date:
Jun 2014
Location:
United States of America
Summary
A code-hosting service suffered irreversible operational failure after an attacker compromised its Amazon Web Services account through a coordinated DDoS attack and subsequent extortion attempt. The intruder gained unauthorized access to the AWS management console, created backup credentials, and systematically deleted critical infrastructure components—including Elastic Block Store snapshots, S3 buckets, machine instances, and configuration backups—during a 12-hour window when defenders attempted to regain control. This destruction of primary data and redundant backups left the company unable to restore services, forcing permanent cessation of operations due to insurmountable financial liabilities and loss of customer trust.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 17, 2014, Code Spaces experienced a distributed denial-of-service (DDoS) attack against its servers, an occurrence the company stated happened "quite often" and was typically resolved transparently. This incident escalated when an unauthorized individual, unrelated to current or former employees, gained access to Code Spaces’ Amazon Web Services (AWS) EC2 control panel. The attacker left messages instructing Code Spaces to contact a Hotmail address, initiating an extortion attempt involving a "large fee" to stop the DDoS. Code Spaces investigated the breach upon discovering the unauthorized access, determining the intruder had not obtained private keys and therefore lacked direct machine access. The company attempted to regain control by changing AWS console passwords, but the attacker had created backup logins in anticipation of this response.

During the 12-hour breach, the intruder engaged in systematic destruction of critical infrastructure upon observing Code Spaces’ recovery efforts. This included deletion of all Elastic Block Store (EBS) snapshots, S3 storage buckets, Amazon Machine Images (AMIs), select EBS instances, and multiple machine instances. The attacker’s actions resulted in near-total eradication of Code Spaces’ operational data, backups, machine configurations, and offsite backups. Despite eventually regaining panel access, Code Spaces confirmed permanent loss of most customer Subversion repositories and Elastic Block Store volumes, along with all virtual machines. The company concluded restoration was impossible due to the comprehensive nature of the deletions.
Code Spaces announced immediate cessation of operations on June 18, 2014, citing irreversible financial damage from both incident response costs and anticipated customer refund obligations. A public statement emphasized the breach destroyed the company’s credibility, leaving no viable path to continue service. Customers were advised to export remaining data while Code Spaces focused on migration support. The company’s website had previously advertised a "proven" recovery plan tested through regular practice, contrasting sharply with its inability to recover from this incident. AWS multifactor authentication options were referenced in media coverage, though the specific vulnerability exploited in the AWS console breach remained unspecified in Code Spaces’ final advisory.
