73 GB of internal corporate data exposed by Pocket iNet ISP

Misconfiguration of Amazon S3 storage pocket resulted in data exposure

Researchers found Amazon S3 bucked reachable by merely entering the URL. The exposed data contained usernames and passwords in plain text, as well as AWS secret keys.

Researchers from UpGuard Cyber Risk reported^[1] that Washington-based Internet Service Provider Pocket iNet accidentally exposed 73 GB of downloadable data online. The information contained corporate data, such as AWS secret keys^[2] of ISP's employees, as well as usernames and passwords in plain text.

The report claims that the data made publicly available after Amazon S3 storage bucket was misconfigured. It left all the information vulnerable for cybercriminals to access and exploit as needed. It took the company seven days before the Pocket iNet safeguarded the exposure.

The Internet Service Provider claims on the official website that the company uses the newest technologies to provide the service:

Pocket iNet makes use of bleeding edge and emerging technologies such as native IPv6, Carrier Ethernet and local fiber to the premise delivering the highest possible service levels to connected customers.

While excellent service providing is beneficial for the business and the clients, it seems like it is time the company puts some resources in ensuring the security of data.

The exposure can result disastrous consequences if the data ends up in cybercriminals' hands

UpGuard researchers came across the exposed bucket of 73 GB of data named “pinapp2” on 11th of October 2018. They soon realized that the bucket belongs to Pocket iNet ISP, and contained spreadsheets, diagrams, pictures, inventory lists, plain text usernames and passwords, configuration details and similar.

Security experts immediately contacted the company via the phone and email, notifying of the exposure. The threat is severe because ISPs are a part of the US Critical Infrastructure^[3] and are one of the prime targets by cybercriminals. Despite that, it took Pocket iNet seven days before the data was finally secured, preventing anyone from accessing it.

While the exposure of photos of the equipment or hardware might not cause severe damage, the most concerning factor was the spreadsheets which uncovered passwords mainly named “root” or “admin” which would grant potential attackers total control over the system's assets, resulting in devastating results for the company. Fortunately, no such data was harvested by cybercrooks before the bucket was secured on 19th of October.

UpGuard stated:

Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business.

Organizations and companies should make sure no such buckets are exposed

It is not the first time that Amazon S3 bucket was unintentionally exposed online. Earlier this year, data firm LocalBlox uncovered a 1.2 TB file which was not password protected.^[4] Additionally, AWS error disclosed internal information of hosting provider GoDaddy at the end of summer 2018.^[5]

While storage like that is secured by default, users might accidentally leave it open to view to anybody online after making changes to bucket's access control list (ACL). Therefore, it is vital for organizations not to keep such important data as credentials in plain texts.

Pocket iNet, among many other technologically advanced companies, must realize the risks and reduce the possibility of accidental data exposure, protecting the business and the customers.