PostHog AWS exploit — researcher-confirmed; EU/US cloud credential rotation and outage

PostHog — a widely deployed open-source product-analytics platform with managed EU Cloud and US Cloud offerings plus a large self-hosted base — disclosed a security incident on 30 May 2026 (01:03 UTC) after a security research team confirmed an exploit in one of its AWS environments, and rotated all AWS credentials within ~15 minutes, causing degraded performance across both clouds (exports, reverse-proxy and dependent services) until it marked the incident resolved at 07:16 UTC the same day (PostHog status, 2026-05-30). PostHog states no keys were publicly accessible and no customer data was compromised, that the issue was patched, and that the credential rotation — not the exploit — caused the outage; independent reporting corroborated the event as a security incident with no customer data compromised (Risky Biz News, 2026-06-01). PostHog has not publicly disclosed the vector, the research team, or whether a CVE was assigned. The exploit was researcher-demonstrated, not observed in-the-wild. Mapped to T1190 Exploit Public-Facing Application for the exposed AWS surface.

Defender takeaway: PostHog ingests event streams, session recordings and feature-flag state from production applications, so a credential compromise in its hosted environment is a high-fidelity behavioural-data and potential lateral-movement risk into customer contexts. Organisations using PostHog EU Cloud should verify the IAM permission scopes and any cross-account trust relationships granted to PostHog's AWS account, and monitor CloudTrail for unexpected key usage from its managed-infrastructure ranges; self-hosters should confirm their ingestion endpoint is not reachable unauthenticated from the internet. The sub-6-hour, status-page-transparent response is a positive signal, but the undisclosed vector means defenders cannot yet scope self-hosted exposure precisely.