Threat Intel Alert: Sumo Logic Security Incident

Wednesday 8th November 2023


Sumo Logic has urged users to change credentials used to access any Sumo Logic tool, as a result of a suspected security breach. The company monitors cloud, and log management and is a SIEM tool provider. The company stated there had been unauthorised access to a Sumo Logic AWS account on 3rd November, using compromised credentials.


There is little to suggest the company’s systems, networks, or customer data have been impacted, but Sumo Logic is advising users to change the credentials used to access Sumo Logic, or other Sumo Logic systems. The most urgent are API access keys. Sumo Logic’s investigation is ongoing, and it will notify customers directly if it discovers any malicious account access.

Sumo Logic’s first response was to lock down exposed infrastructure and rotate every potentially exposed credential for their infrastructure, to be overly cautious. They are continuing to investigate the incident and have added extra security measures for further protection.

Analyst Comment:

Sumo Logic’s immediate response is to reassure customers and to provide them with evidence of the security measures being taken to protect customers. The investigation is ongoing, and it seems that Sumo Logic is being very cautious to ensure no further damage occurs. Customer actions below dive advice on what customers should do to continue to mitigate any potential issues from their end. However, the full extent of the incident is unknown, which suggests customers should be cautious, maintain awareness of any security updates posted by Sumo Logic, and act on these if required.

Customer Actions:

We recommend that customers change credentials that are either used to access Sumo Logic or that you have provided to Sumo Logic to access other systems. Specifically:

What we advise you rotate immediately:

  • Sumo Logic API access keys (If you need assistance with this, please contact Sumo Support at)

What you could also rotate as an additional precautionary measure:

  • Sumo Logic installed collector credentials
  • Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access)
  • Third-party credentials that have been stored with Sumo as part of webhook connection configuration
  • User passwords to Sumo Logic accounts

If you have questions about steps to take, please do not hesitate to contact our customer support team at

This is based on current, limited, knowledge, which should be further investigated and checked, before being applied to your systems.


Security Response Center | Sumo Logic

Want to keep informed? Sign up to our Newsletter