2 min read

Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server

Graham CLULEY

June 28, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server

Some of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no password required.

The startling revelation came from researchers at UpGuard, who discovered three publicly accessible Amazon S3 buckets related to Attunity, a leading provider of data integration and big data management software solutions, on May 13th 2019.

The fact that Attunity is at the centre of the security breach is a concern, simply because of its impressive list of customers. On its website, the company boasts that it counts more than 2,000 enterprises and half the Fortune 100 in its customer base.

According to screenshots published on UpGuard’s blog, Fortune 100 companies such as Netflix, Ford, and TD Bank were amongst those who had their data recklessly exposed.

For instance, the researchers discovered files containing the usernames and passwords of Netflix database systems, and internal Ford presentations.

To add to the concern, the vast haul of exposed data included credentials such as private keys.

In the hands of a determined criminal, such information could be put an organisation – and its customers and partners – in serious danger, as it’s quite feasible the integrity and confidentiality of data could be put at yet further risk.

What’s the point of spending a large proportion of your IT security budget on preventing hackers from gaining access to your network if an IT firm carelessly leaves them lying around on the internet for anybody to see?

Meanwhile, Attunity’s employees were also put at risk as the company’s own payroll and personal identification details were available to freely download.

Fortunately, the researchers responsibly reached out to Attunity and – after a short delay while the right contact was found (the business was just acquired by Swedish firm Qlik, a data analytics company, for close to US $600 million) – the leaky AWS S3 buckets are no longer publicly accessible.

Despite that, Attunity – or rather its new owners Qlik – will no doubt be having some difficult conversations about how this breach could have happened, and what steps it is putting in place to ensure that it never happens again.

What cannot be confirmed right now is whether UpGuard’s researchers were the first to notice that Attunity had left the data of major Fortune 100 companies accessible for anyone to download, or whether they were beaten to the post by criminals.

For the sake of all of the companies and individuals concerned, let’s hope Attunity dodged a bullet this time – although that will have been more down to good luck than having had the foresight to take sensible security measures in the first place.

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read
Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts Android App in Google Play Store Was Harvesting SMS Messages Helping Criminals Create New Accounts
Silviu STAHIE

December 02, 2022

1 min read