The misconfigured S3 bucket was owned by SeniorAdvisor, a consumer ratings and reviews website.
WizCase’s cybersecurity researchers discovered a misconfigured Amazon S3 bucket owned by SeniorAdvisor, one of the leading consumer ratings and reviews websites for senior care/services in the USA and Canada.
The company aids senior citizens in finding care options in their localities. The service was launched by for-profit senior care referral services known as A Place for Mom back in 2013.
The research team led by Ata Hakcil identified that the misconfigured bucket had made millions of people vulnerable to various threats and frauds. The database was left out in the open without any password protection, and it didn’t even require login credentials to access the information.
Resultantly, WizCase researchers revealed that personally identifiable information (PII) of more than three million US senior citizens was contained in the unprotected database without any encryption.
Nearly 180 GB of Data Exposed
According to WizCase researchers, the misconfigured Amazon S3 bucket contained more than 1,000,000 files and 182GB of data. The bucket was secured after WizCase notified SeniorAdvisor. The bucket contained valuable PII, including the names and contact details of millions of older adults.
Data Saved in the Form of Leads
Researchers identified that most of the exposed data were saved as leads and included customers’ contact details to target them in email or phone campaigns. Moreover, it also contained the dates when a particular user was contacted.
As per WizCase’s analysis, the dates ranged from 2002 to 2013, and the files had timestamps dated 2017. Apart from PII, the database had around 2,000 reviews. While user details were scrubbed off, the reviews had a lead ID that could be used to detect users’ details easily.