On September 17th, 2017, Chris Vickery, director of Cyber Risk Research at UpGuard discovered a trove of highly sensitive data exposed online without any security or login credentials. The data belonged to one of the world’s largest corporate consulting and management firms Accenture PLC based in Dublin, Ireland.
The data was left exposed on four Amazon Web Services S3 storage buckets allowing anyone to access and download it by merely entering the buckets’ web addresses on their web browser. Upon analysis, Vickery found that buckets contained internal Accenture data including APIs, cloud platform credentials, configurations, certificates, authentication credentials, decryption keys, customer information and other sensitive data that would be helpful enough to attack and damage Accenture and its customers.
Furthermore, the exposed buckets (labeled: “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl) also contained details regarding Accenture Cloud Platform and how clients can use it. The “acp-deployment” bucket contained internal access keys and credentials for use by the Identity API, and most importantly it contained “a plaintext document containing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, exposing an unknown number of credentials to malicious use.”
The “client.jks” bucket contained clear-text password necessary to decrypt the file while the bucket “acpcollector” contained “VPN keys used in production for Accenture’s private network, potentially exposing a master view of Accenture’s cloud ecosystem.”
The third bucket “acp-software,” however contained 137 GB data including database dumps, 40,000 plaintext passwords and access keys for cloud infrastructure management platform Enstratus, etc. The fourth bucket “acp-ssl,” contained access key to another folder providing further access to more sensitive data.
If accessed, the data could have let attackers harm the firm and its clients without needing to explore security flaws to get into Accenture’s cyberinfrastructure. Keeping in mind the recent Equifax breach in which personal details of 143 million Americans; a breach including Accenture would stop clients from trusting the corporate firms.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients,” concluded UpGuard.
At the time of publishing this article, the exposed data was secured due to UpGuard’s alert to Accenture.