Amazon S3

During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers.

In almost all cases, the reason was that companies, through their staff, left Amazon S3 "buckets" configured to allow "public" access. This means that anyone with a link to the S3 server could access, view, or download its content.

The problem is that most companies believe that if they're the only ones knowing the database's URL, they are safe. This is not true. Attackers can obtain these URLs using MitM attacks on corporate networks, accidental employee leaks, or by brute-forcing domains for hidden URLs.

While this sounds complicated, there are open-source available on GitHub that simplify the discovery of public S3 buckets, putting a large number of companies at risk.

7% of all S3 buckets have unrestricted public access

According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.

These lapses in security best practices have resulted in some serious breaches, from army contractors to big-time US ISPs.

Below is a (most likely incomplete) list of all the major data leaks caused by companies leaving Amazon S3 buckets configured with public access during the past few months.

⬨ Top defense contractor Booz Allen Hamilton leaks 60,000 files, including employee security credentials and passwords to a US government system.
⬨ Verizon partner leaks personal records of over 14 million Verizon customers, including names, addresses, account details, and for some victims — account PINs.
⬨ An AWS S3 server leaked the personal details of WWE fans who registered on the company's sites. 3,065,805 users were exposed.
⬨ Another AWS S4 bucket leaked the personal details of over 198 million American voters. The database contained information from three data mining companies known to be associated with the Republican Party.
Another S3 database left exposed only leaked the personal details of job applications that had Top Secret government clearance.
Dow Jones, the parent company of the Wall Street Journal, leaked the personal details of 2.2 million customers.
⬨ Omaha-based voting machine firm Election Systems & Software (ES&S) left a database exposed online that contained the personal records of 1.8 million Chicago voters.
⬨ Security researchers discovered a Verizon AWS S3 bucket containing over 100 MB of data about the company's internal system named Distributed Vision Services (DVS), used for billing operations.
⬨ An auto-tracking company leaked over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships.

Companies that want to avoid situations like the above should review the following Amazon documentation pages and make sure they fully understand their server's permissions level:

In addition, Mark Nunnikhoven, Vice President of Cloud Research at Trend Micro, also has a simple guide on how to secure an Amazon S3 buckets.