Leaky AWS S3 buckets disclose sensitive data of Netflix, Ford

Data management company Attunity left unprotected cloud storage buckets that contained sensitive details of Fortune 100 companies

Data management company Attunity left three unprotected S3 buckets that contained Fortune 100 companies' sensitive details like system passwords, business documents, sales information, etc.

UpGuard security researchers discovered^[1] three unprotected Amazon S3 buckets^[2] that disclosed personal details of Attunity, Israeli-based data management, and integration company. Besides, the firm is also responsible for holding information of such renown Fortune 100 companies like Netflix, Ford, TD Bank, and others.

The exposed S3 buckets were spotted by UpGuard's security team back on May 13th, 2019. The sensitive information included backups of employee's OneDrive accounts, system passwords, project details, keys for production systems, internal business documents, sales information, and much more.

Soon after the discovery, security experts informed the party responsible, and within a day the access to sensitive information was terminated. Nevertheless, it is yet unknown how long the leaky S3 buckets were accessible for everyone and whether or not bad actors managed to put the exposed information for malicious deeds like fraud.

Attunity is one of the largest data management companies which was recently acquired by Qlik, a business intelligence platform. Among Attunity's customers are the biggest corporations of the world, including Pfizer, Mercedes-Benz, Dolby, Brown-Forman, Philips, and many others.^[3]

The oldest entry dates back to September 2014

UpGuard's security experts contacted Attunity three days after the discovery, which was on May 16th. The leaky S3 buckets were put on the server under the names of “attunity-it,” “attunity-patch,” and “attunity-support,” and were approximately 1 TB in size, although precise size is unknown. Out of that, 750 GB were compressed email backups.

In one of the buckets, latest updates to files dated back to September 2014, although that does not mean these sensitive details were exposed at that time. Nevertheless, most recent records dated just days before security experts discovered the unsafe buckets.

While data analysis might be quite difficult considering the size of such AWS buckets that contain thousands of entries, the ramifications of such exposure might be huge, as hackers might use particular tools designed to filter the required information. Considering that the leaky S3 bucket contained not only Attunity's data but also industry giants, there is a chance that the information might be misused to access the world's most prominent organizations.

Especially dangerous disclosure would be those of system credentials, as explained by UpGuard team:

One class of data, among the most obviously significant for an information security program, are credentials for systems that would feasibly allow for the further compromise of the integrity, confidentiality, or availability of data. UpGuard researchers do not attempt to use credentials, and so cannot report on what access these could have provided, but the exposure of credentials certainly removes one layer of protection for accessing those systems. If they are administrative credentials then the exposure level would be high.

AWS 3 bucket exposure is not new, and it poses tremendous danger to corporations

Unfortunately, this is just one example of many, when a misconfigured and leaky buckets were placed on the internet for everybody to see.

Back in April 2018, personal and business data search service LocalBlox left an S3 bucket open, which resulted in the exposure of 48 million users of Facebook, Twitter, and other social networks.^[4]

In one of the most recent incidents, Facebook managed to fail yet again, leaving an exposed Amazon S3 bucket open to the public, which consequently put the data of 540 million Facebook users at risk of exposure to malicious actors.^[5] The information included passwords in plain text, account names, user IDs, and other sensitive details.

UpGuard, who has been working on hard on stopping these leaky buckets of falling into cybercriminals' hands, has commented the following on Attunity's incident:

The chain of events leading to the exposure of that data provides a useful lesson in the ecology of a data leak scenario. Users’ workstations may be secured against attackers breaking in, but other IT processes can copy and expose the same data valued by attackers. When such backups are exposed, they can contain a variety of data from system credentials to personally identifiable information. Data is not safe if misconfigurations and process errors expose that data to the public internet.