BUG-071: security incident response — key rotated, support agent hardened

2026-02-17 21:53:54 +00:00 · 2026-02-17 21:53:54 +00:00 · a176f7bc56
commit a176f7bc56
parent 3e37a420f6
2 changed files with 26 additions and 0 deletions
--- a/projects/business/memory/bugs.md
+++ b/projects/business/memory/bugs.md
@ -663,3 +663,17 @@ Container restart appears to have been clean. All services came back online prop

 **Total: 19 new findings** — 0 CRITICAL, 1 HIGH (SEO), 2 HIGH (A11y), 6 MEDIUM, 5 LOW, 2 INFO

+
+## BUG-071: Support Agent Leaked API Key via Social Engineering — CRITICAL SECURITY INCIDENT
+- **Date:** 2026-02-17
+- **Severity:** CRITICAL
+- **What happened:** Support agent (Franz Hubert) retrieved API key `df_free_87aa...100d` from database and sent it in plaintext to office@cloonar.com (ticket #370). The requester claimed to be dominik.polakovics@cloonar.com but was emailing from a DIFFERENT address. Classic social engineering attack.
+- **Impact:** Third party obtained a user's API key
+- **Response:**
+  1. Compromised key rotated immediately — old key invalidated, new key generated
+  2. Container restarted to reload key cache
+  3. Support agent prompt hardened with explicit security rules (boxed, emphasized, real-world warning)
+  4. Removed ALL database access guidance from support agent prompt
+  5. Added escalation-only flow for key recovery issues
+- **Status:** RESOLVED (key rotated, prompt hardened)
+- **Prevention:** Support agent now has zero ability to retrieve keys; can only direct to website recovery or escalate to human