Email I got from Porter follows, trimmed for HN character limit. Full text at https://gist.github.com/leetrout/2d172d2b95e8d24af0f3de0d0b03561e
---
What happened
On April 13th, 2026, the Porter team detected unauthorized activity originating from a stale AWS access key in our infrastructure. Upon detection, we immediately revoked all affected credentials and engaged our incident response processes, which included a comprehensive investigation.
Since April 13th, we have seen no further evidence of unauthorized activity within Porter networks and systems. Working closely with Cloudflare and Amazon, we have substantially completed the investigation of our environment and are continuing to prioritize supporting customers in their response efforts.
We have determined that the threat actor operated between 03:23 UTC April 11, 2026 and 15:24 UTC April 13, 2026. During this window, the threat actor leveraged IAM role chaining from Porter's infrastructure to access 21 customer cloud accounts. A few customers within the targeted group confirmed successful retrieval of on-cluster secrets. For these users, we currently have no evidence that secrets were abused or that other actions were taken beyond secret retrieval through this role chain. In particular, there was no evidence of any unauthorized modification of customer infrastructure for any of these users. Via the same initial access, the threat actor accessed credentials for the Porter GitHub App. Working with the GitHub team, we learned that requests were made to GitHub API endpoints for some users. We have since received confirmation that three customer repositories were cloned. User-configured Helm overrides and credentials for Porter integrations, including Slack and AI integrations for a limited number of users, were also exposed. All users with such credentials were directly informed this week.
[snip]
In the days since, we have:
Rotated all remaining Porter AWS access keys, including those not known to be affected Deployed additional logging and monitoring across all Porter AWS accounts Established endpoint detection and response, additional real-time alerting, an incident response retainer, and 24x7 monitoring with an outside security firm
Further restricted ingress network traffic
Engaged Cloudflare, Latacora, and AWS to audit our configurations
We will cover the full scope of our ongoing remediation, including elimination of long-lived access keys, least-privilege enforcement, role chaining restrictions, and expanded threat detection in a detailed write-up to follow.
What Porter customers should do
We have communicated tailored action items to all customers based on their levels of exposure. The following general steps apply to everyone:
Review GitHub activity logs
[snip]
Key events to look for:
Unexpected repository clones ("git.clone" events)
New deploy keys or SSH keys added to repositories
OAuth application authorizations you don't recognize
Changes to branch protection rules or webhook configurations
Rotate third-party credentials
Rotate credentials for any Porter integrations, including Slack, alerting services, and AI support, that have not been updated since April 14, 2026.
Engage a security firm if needed
[snip]
What comes next
The incident resulted from a stale, overprivileged access key. Our remediation is focused on eliminating the conditions that made this compromise possible, not just the specific vector that was exploited.
We will share a detailed write-up in the coming weeks covering our remediation and ongoing efforts to harden our infrastructure. We also intend to establish regular transparency updates on our security posture moving forward.
[snip]