Another day, another treasure trove of data exposed online. This time, the IT security researchers at vpnMentor have identified personal details of millions of unsuspected users across North America.
The breach occurred as a result of a misconfigured Amazon Web Services (AWS) S3 bucket open in the wild for public access without any security authentication. Simply put: The data could have been accessed by anyone with simple knowledge of identifying exposed databases.
According to vpnMentor’s research team, the database belonged to Austin, TX-based company “Key Ring,” a digital wallet allowing users to upload and store digital copies of their documents including credit cards, identity cards, passports, driving licenses, gift cards, etc.
The company has over 14 million customers and in this case, the privacy and security of each and every customer have been put at risk.
In a blog post, vpnMentor revealed that Key Ring exposed 5 S3 buckets with highly sensitive information including copies of credit card data including their numbers, expiry dates, and CVV numbers.
Furthermore, Personally Identifiable Information (PII) was also part of the leaked data and included social security numbers, government ID cards, NRA membership cards, medical marijuana ID cards, gift cards, loyalty cards, retail club membership cards, and medical insurance cards.
In total, the number of leaked images goes up to 44 million. However, it doesn’t end here, in fact, the database went on to expose full names, email addresses, date of birth, zip codes and location of Key Ring’ customers. Moreover, IP addresses, salted passwords, and home addresses were also left exposed.
All that in plain-text, just like on “As is Where is basis.” Luckily, the company doesn’t provide its services to users in Europe, therefore, it won’t be slapped by hefty GDPR fine however its massive blow for its customers in North America.
Although it is unclear if the database was accessed by third-party with malicious intent, if it was, it exposes customers to real-life blackmailing, extortion, and identity theft-related scams. Also, since all credit card numbers were available in plain-text hackers can also empty their bank accounts and commit tax frauds.
At the time of publishing this article; the exposed database was secured by the company.
Had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous. In fact, we can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring. If this happened, simply deleting the exposed data and securing the S3 buckets might not be enough. Hackers would still have access to all the data, stored locally, offline, and completely untraceable, vpnMentor’s team warned.
This, however, is not the first time when a misconfigured S3 bucket has exposed such trove of data. Just a few days ago, a “secure” cloud storage provider exposed millions of customers’ data in plain-text. In another incident, a misconfigured S3 bucket exposed the US military’s social media spying campaign to the public.