Industry News

Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server

Some of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no password required.

The startling revelation came from researchers at UpGuard, who discovered three publicly accessible Amazon S3 buckets related to Attunity, a leading provider of data integration and big data management software solutions, on May 13th 2019.

The fact that Attunity is at the centre of the security breach is a concern, simply because of its impressive list of customers. On its website, the company boasts that it counts more than 2,000 enterprises and half the Fortune 100 in its customer base.

According to screenshots published on UpGuard’s blog, Fortune 100 companies such as Netflix, Ford, and TD Bank were amongst those who had their data recklessly exposed.

For instance, the researchers discovered files containing the usernames and passwords of Netflix database systems, and internal Ford presentations.

To add to the concern, the vast haul of exposed data included credentials such as private keys.

In the hands of a determined criminal, such information could be put an organisation – and its customers and partners – in serious danger, as it’s quite feasible the integrity and confidentiality of data could be put at yet further risk.

What’s the point of spending a large proportion of your IT security budget on preventing hackers from gaining access to your network if an IT firm carelessly leaves them lying around on the internet for anybody to see?

Meanwhile, Attunity’s employees were also put at risk as the company’s own payroll and personal identification details were available to freely download.

Fortunately, the researchers responsibly reached out to Attunity and – after a short delay while the right contact was found (the business was just acquired by Swedish firm Qlik, a data analytics company, for close to US $600 million) – the leaky AWS S3 buckets are no longer publicly accessible.

Despite that, Attunity – or rather its new owners Qlik – will no doubt be having some difficult conversations about how this breach could have happened, and what steps it is putting in place to ensure that it never happens again.

What cannot be confirmed right now is whether UpGuard’s researchers were the first to notice that Attunity had left the data of major Fortune 100 companies accessible for anyone to download, or whether they were beaten to the post by criminals.

For the sake of all of the companies and individuals concerned, let’s hope Attunity dodged a bullet this time – although that will have been more down to good luck than having had the foresight to take sensible security measures in the first place.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

3 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • What. A. Total. Fuck-up.

    There is only one solution to this: force yourself to ALWAYS use end-to-end-encryption when putting ANY data on a (cloud) server. (Yes, there are simple solutions to that – even to the home user). Since even the big names simply don't appear to know what they are doing at all. What was their core business, you say? ;-/

  • What a mess. Even the largest and most technologicallly advanced businesses seem to introduce vulnerabilities in their own systems with an alarming frequency. I think they do not communicate the legal and brand consequences of this situations to their employees enough.
    I do not know much about AWS but cmon! If you are about to do business in the cloud prepare yourself accordingly. You can even do AWS tutorials for free! https://amazon.qwiklabs.com