This week in 'Bungles in the AWS S3 Privacy Jungles', we present Alteryx – and 123 million households exposed

Dodged a bit of a bullet this time

By Shaun Nichols in San Francisco

Posted in Cloud, 21st December 2017 00:22 GMT

Yet another misconfigured Amazon-hosted cloud storage bucket has been discovered – this one flashing the personal information of roughly 123 million American households to anyone passing by on the internet.

The public-facing database belonged to analytics biz Alteryx, and its bungled security was discovered and reported by infosec outfit UpGuard.

The insecurely configured AWS S3 silo contained records Alteryx had obtained from credit-check company Experian and America's 2010 Census data. The census records are publicly available, whereas Experian's dataset is commercially but not publicly available.

All together, the S3 bucket contained "home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior," according to UpGuard.

This personal data could, of course, have been potentially exploited by identity thieves and other fraudsters. The silo has since been locked down.

Marketing

"While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data," explained UpGuard's Dan O'Sullivan on Wednesday.

"Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household."

Chris Vickery, UpGuard researcher and renowned AWS S3 breach hunter, came across the vulnerable instance in early October, finding that Alteryx had changed the privacy settings on the S3 bucket to make the data viewable to anyone with an AWS account.

Once inside, Vickery found that the cloud-hosted repository contained a number of software development files as well as the data Alteryx relies on to operate its analytics services. This included a number of details lifted from Experian credit reports.

"While each of the tens of millions of rows represents a different US household, the 248 columns cross-indexed compiles each household’s known or modeled personal details, preferences, and behavior across a wide array of categories," said O'Sullivan. "With a total of over 3.5 billion fields to be filled with such data points, the index’s incredibly detailed level of insight is, ultimately, precisely what Experian claims to offer with its ConsumerView product."

The configuration cockup is yet another example of poor AWS management causing people's personal files to spill onto the internet.

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

READ MORE

The same problem was blamed for the exposure of nearly 200 million voters in the RNC's database, while the City of Chicago saw 1.8 million of its residents' details spaffed online by a wide-open S3 instance.

While AWS limits S3 access to authorized users by default, many companies opt for the more convenient route of setting the buckets to allow access to anyone with an AWS account.

"Simply put," says O'Sullivan, "one dummy sign-up for a [free] AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents."

Alteryx, meanwhile, said it has taken steps to make sure similar IT missteps won't happen again.

"When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored," said CEO Dean Stoecker.

"We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward." ®

Sign up to our NewsletterGet IT in your inbox daily

23 Comments

More from The Register

KVM? Us? Amazon erases new hypervisor from AWS EC2 FAQ

We've fro-Xen page to preserve evidence of NVMe servers and Xen's stay of execution

Nasuni straps APIs and encryption to nippier Edge Appliances

Smartens up software act with raft of improvements

Xcellis: From 'gateway' for NAS dabblers to pusher of hardcore scale-out NAS boxen

Quantum claims to node its new stuff totally dunks on rival

Oracle promises SLAs that halve Amazon's cloud costs

Larry Ellison also pledges 'Autonomous Database' to cut the cost of – gulp – the people who run databases

Oracle crashes AWS and Azure UK cloud data centre party

London base in global expansion

Amazon: Intel Meltdown patch will slow down your AWS EC2 server

Sysadmins notice performance dip amid security fix rollout. Not everyone hit hard. YMMV etc

AWS sells local Chinese infrastructure to local partner Sinnet

Bezos' cut price bit barns sell to comply with local laws

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

Updated Look out for that orange alert

Delphix sends database virtualization sailing up the Amazon

AWS RDS instances get virty to cut cloudy storage costs

Oracle effectively doubles licence fees to run its stuff in AWS

Larry Ellison did promise Oracle's cloud would be faster and cheaper