Fortune 100 passwords, email archives, and corporate secrets left exposed on unsecured Amazon S3 server

Some of the world’s biggest companies have had 750GB worth of their innermost secrets revealed on unsecured Amazon S3 buckets, available for anybody to download – no password required.

The startling revelation came from researchers at UpGuard, who discovered three publicly accessible Amazon S3 buckets related to Attunity, a leading provider of data integration and big data management software solutions, on May 13th 2019.

The fact that Attunity is at the centre of the security breach is a concern, simply because of its impressive list of customers. On its website, the company boasts that it counts more than 2,000 enterprises and half the Fortune 100 in its customer base.

According to screenshots published on UpGuard’s blog, Fortune 100 companies such as Netflix, Ford, and TD Bank were amongst those who had their data recklessly exposed.

For instance, the researchers discovered files containing the usernames and passwords of Netflix database systems, and internal Ford presentations.

To add to the concern, the vast haul of exposed data included credentials such as private keys.

In the hands of a determined criminal, such information could be put an organisation – and its customers and partners – in serious danger, as it’s quite feasible the integrity and confidentiality of data could be put at yet further risk.

What’s the point of spending a large proportion of your IT security budget on preventing hackers from gaining access to your network if an IT firm carelessly leaves them lying around on the internet for anybody to see?

Meanwhile, Attunity’s employees were also put at risk as the company’s own payroll and personal identification details were available to freely download.

Fortunately, the researchers responsibly reached out to Attunity and – after a short delay while the right contact was found (the business was just acquired by Swedish firm Qlik, a data analytics company, for close to US $600 million) – the leaky AWS S3 buckets are no longer publicly accessible.

Despite that, Attunity – or rather its new owners Qlik – will no doubt be having some difficult conversations about how this breach could have happened, and what steps it is putting in place to ensure that it never happens again.

What cannot be confirmed right now is whether UpGuard’s researchers were the first to notice that Attunity had left the data of major Fortune 100 companies accessible for anyone to download, or whether they were beaten to the post by criminals.

For the sake of all of the companies and individuals concerned, let’s hope Attunity dodged a bullet this time – although that will have been more down to good luck than having had the foresight to take sensible security measures in the first place.