Your developers use AWS daily. They log into the console from their browsers. They save passwords because typing credentials fifty times a day is annoying.
Then one laptop gets infected with info-stealer malware.
Now your AWS console credentials are in a stealer log. Along with session cookies that might bypass MFA entirely.
How cloud credentials end up in stealer logs
Info-stealers grab everything the browser stores. Saved passwords. Autofill data. Cookies. Browser history.
When a developer logs into console.aws.amazon.com and saves the password, that credential is now stored locally. When malware runs, it extracts that stored password and uploads it to an attacker's server.
The same happens with Azure Portal, Google Cloud Console, Okta, and every other cloud service accessed through a browser.
Why cloud credentials are high priority targets
One AWS credential can expose your entire infrastructure.
S3 buckets with customer data. RDS databases with production records. Lambda functions with hardcoded secrets. IAM policies that allow privilege escalation.
Attackers know this. When they parse fresh stealer logs, cloud console URLs get flagged immediately. These credentials get tested before anything else.
The session cookie problem
Passwords are not the only risk. Stealer logs capture cookies too.
If a developer was logged into AWS Console when the malware ran, their session cookie got captured. An attacker can import that cookie into their browser and access AWS without ever entering a password or triggering MFA.
Session cookies can stay valid for hours or days. Long enough for an attacker to create new IAM users, generate access keys, and establish persistence.
By the time the original session expires, they have their own access.
What to look for in LeakRadar
Search your company domain and filter results by URL. Look for patterns like:
console.aws.amazon.com for AWS access. portal.azure.com for Azure. cloud.google.com for GCP. login.microsoftonline.com for Microsoft 365 and Azure AD. okta.com for identity provider access.
Any result matching these patterns is critical. Fresh timestamps make it urgent.
Response when you find cloud credentials
Do not just reset the password. That is not enough.
Revoke all active sessions for the affected user. Check CloudTrail or equivalent audit logs for unauthorized activity. Review IAM for new users, roles, or access keys created recently. Rotate any access keys associated with the compromised account. Check for persistence mechanisms like new API tokens or OAuth apps.
Cloud compromises escalate fast. A single credential can become full infrastructure access within hours.
The gap in cloud security monitoring
Most cloud security tools focus on misconfigurations and runtime threats. They assume authentication is secure.
Stealer logs bypass that assumption entirely. The attacker has valid credentials. From the cloud provider's perspective, it looks like a legitimate login.
If you are not monitoring for leaked cloud credentials specifically, you are missing one of the fastest paths to a breach.