Behavioral data is regulated data: Amplitude export key abuse

Amplitude is product analytics, and its export key unlocks a longitudinal record of what real users did. That is privacy-sensitive data, distinct from credentials or source code.

How the attack works

The API key and secret key leak from a public client bundle and a config repo. The export API is invoked with the project secret key from an IP outside the company’s data pipeline, requesting a multi-month window far larger than the nightly incremental pulls. Event payloads carrying device identifiers, user properties, and in-app event streams are downloaded in bulk, and the attacker then probes a second project to test the key’s scope. The harm is data-exposure, not access takeover. In ATT&CK terms this is T1552, Unsecured Credentials, and T1078, Valid Accounts, with the bulk pull mapping to T1213, Data from Information Repositories, and T1567, Exfiltration Over Web Service.

Why it works

A powerful export secret was reachable from a client bundle and a repo, and it was broadly scoped, so one leaked key could pull everything.

How to fix it

The non-obvious move is that a static export key has no session to log out, so rotation is the kill switch: rotate the API and secret keys to invalidate the leaked value, then scope which projects the replacement can read. Do not wait to measure the export first, because more months of data egress while you watch. For the class fix, keep secret keys server-side and out of client bundles, store them in a secret store with rotation, and restrict export-API access by source and per-project scope. The export API logs filtered to the key and window scope exactly which projects and ranges left.

Practice it

We built this as a GraphLattice Range scenario so teams can rehearse the bulk export, the rotate-and-scope containment, and the framing that behavioral data can be regulated personal data with no password taken.