Leaky S3 buckets have gotten so common that they’re being found by the thousands now, with lots of buried secrets
Shaun Nichols reports:
The massive amounts of exposed data on misconfigured AWS S3 storage buckets is a catastrophic network breach just waiting to happen, say experts.
The team at Truffle Security says its automated search tools were able to stumble across some 4,000 open Amazon S3 buckets that included data companies would not want public, things like login credentials, security keys, and API keys.
Read more on The Register.
The report comes as absolutely zero surprise to anyone who has been in touch with researchers on a regular basis. Every day, one of my favorite whitehat researchers shows me at least half a dozen or more leaky s3 buckets exposing personal or sensitive information. Luckily for them — if they check their email — he sends them notifications to alert them. And then if they don’t respond or if he cannot figure out who owns the bucket, he sends the information to Amazon’s team so that they can contact their customer to get the data locked down.
But it really is that bad, and it’s even worse when you realize that some services even find these open buckets and list them on a searchable site.
It’s 2020. If you have data in the cloud, when was the last time you hired an independent firm or consultant to test and ensure that all your backups or databases are configured correctly for security. The problems are not just confined to s3 buckets — these issues also apply to elastic search instances, MongoDB, Couch and every other kind of database you can think of.