Leaked Datadog keys — observability pipeline compromise

Datadog API keys ingest metrics; App keys query data. Leakage of both = ability to read every metric, log, and trace, and inject fake metrics to mask real incidents.

The next 60 seconds matter

The attacker exfiltrates metrics (revealing infrastructure topology), logs (often containing PII / tokens), and traces. With the App key, they can also query and modify dashboards + monitors, potentially silencing alerts during an active attack.

  • Query every metric and log
  • Exfiltrate logs that contain sensitive data
  • Disable monitors to mask an active attack
  • Modify dashboards to hide anomalies

Rotation playbook

  1. Datadog → Integrations → API Keys / App Keys → Revoke the leaked keys
  2. Update every agent + integration
  3. Audit Audit Trail for anomalous queries in the past 72 hours

Prevent the next one

  • Scope App keys to specific roles
  • Rotate quarterly
  • Never include Datadog keys in client-side code
Pattern we scan for
{32 hex chars} (API) / {40 hex chars} (App)