Just like many companies before it, weight loss program Weight Watchers suffered a small security breach after security researchers found a crucial server exposed on the Internet that was holding the configuration info for some of the company's IT infrastructure.
The exposed server was a Kubernetes instance, a type of software for managing large IT networks and easily deploying app containers across multiple servers, usually on a cloud infrastructure.
Researchers from German cyber-security firm Kromtech discovered that Weight Watchers forgot to set a password for the administration console of one of its Kubernetes instances.
This granted anyone knowing where to look (port 10250) access to this servers, without the need to enter a username and password.
Once the Kromtech team found and connected to the Kubernetes server, they say they found details about the company's internal IT infrastructure, such as AWS access keys, pod specifications, and several dozens S3 buckets holding the company's data.
All in all, the Kubernetes instances exposed an administrator's root credentials, access keys for 102 of their domains, and 31 IAM users including users with administrative credentials and applications with programmatic access.
It is unclear if someone else besides the Kromtech team discovered this Kubernetes instance, but an attacker with access to this server would have been able to access a large part of Weight Watchers' network.
It is also unclear what kind of data (user details?) these servers were storing, as the Kromtech team could not go wandering off inside Weight Watchers' network without violating a slew of laws.
"We didn't go inside, in order to avoid violations," Kromtech researcher Bob Diachenko told Bleeping Computer today. "Instead, we looked up the list of services connected to the exposed AWS key pair, to understand the scale."
Diachenko and the Kromtech team said they reported the exposed server to Weight Watchers, who quickly remediated the issue, thanking the researchers.
"We really appreciate the community working to make us all safer," a Weight Watchers spokesperson said in its response to Kromtech.
"We have confirmed the issue - a security group for a test cluster in our non-production account was misconfigured during testing. The issue should be resolved and keys should be revoked. We’ve also implemented some safeguards to protect against this issue from recurrence."
But Kromtech disputes Weight Watchers' explanation that this was a non-production account. Nonetheless, today, a Weight Watchers spokesperson stood by its initial statement.
"Last week, Weight Watchers received a report from security researchers related to the exposure of credentials in one non-production AWS account," a company spokesperson told Bleeping Computer via email. "The account was in a testing environment clearly labeled 'nonprod' and is used only to test new services and features."
"To be able to test and innovate securely, we keep test environments completely separate from production environments. Our internal team and a reputable third-party security forensics team have investigated the exposed account key scope and activity, and each has independently confirmed that there was no indication that any personally identifiable information was exposed," the spokesperson told us.
Weight Watchers is certainly not the first company to have to deal with a leaky or non-protected server. Other companies that suffered a similar fate include Tesla, Honda, Universal, and Bezop, just to name a few.
Tesla, in particular, suffered a leak via a similar Kubernetes instance. Hackers even used the company's Kubernetes instance to mine cryptocurrencies, a tactic that has become quite common these days for coin-mining attacks.
Article updated with Weight Watchers comment.