Data Centre


This week in 'Bungles in the AWS S3 Privacy Jungles', we present Alteryx – and 123 million households exposed

Dodged a bit of a bullet this time

By Shaun Nichols in San Francisco


Yet another misconfigured Amazon-hosted cloud storage bucket has been discovered – this one flashing the personal information of roughly 123 million American households to anyone passing by on the internet.

The public-facing database belonged to analytics biz Alteryx, and its bungled security was discovered and reported by infosec outfit UpGuard.

The insecurely configured AWS S3 silo contained records Alteryx had obtained from credit-check company Experian and America's 2010 Census data. The census records are publicly available, whereas Experian's dataset is commercially but not publicly available.

All together, the S3 bucket contained "home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior," according to UpGuard.

This personal data could, of course, have been potentially exploited by identity thieves and other fraudsters. The silo has since been locked down.


"While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data," explained UpGuard's Dan O'Sullivan on Wednesday.

"Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household."

Chris Vickery, UpGuard researcher and renowned AWS S3 breach hunter, came across the vulnerable instance in early October, finding that Alteryx had changed the privacy settings on the S3 bucket to make the data viewable to anyone with an AWS account.

Once inside, Vickery found that the cloud-hosted repository contained a number of software development files as well as the data Alteryx relies on to operate its analytics services. This included a number of details lifted from Experian credit reports.

"While each of the tens of millions of rows represents a different US household, the 248 columns cross-indexed compiles each household’s known or modeled personal details, preferences, and behavior across a wide array of categories," said O'Sullivan. "With a total of over 3.5 billion fields to be filled with such data points, the index’s incredibly detailed level of insight is, ultimately, precisely what Experian claims to offer with its ConsumerView product."

The configuration cockup is yet another example of poor AWS management causing people's personal files to spill onto the internet.

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light


The same problem was blamed for the exposure of nearly 200 million voters in the RNC's database, while the City of Chicago saw 1.8 million of its residents' details spaffed online by a wide-open S3 instance.

While AWS limits S3 access to authorized users by default, many companies opt for the more convenient route of setting the buckets to allow access to anyone with an AWS account.

"Simply put," says O'Sullivan, "one dummy sign-up for a [free] AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents."

Alteryx, meanwhile, said it has taken steps to make sure similar IT missteps won't happen again.

"When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored," said CEO Dean Stoecker.

"We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

What now, Larry? AWS boss insists Amazon will have dumped Oracle database by end of 2019

re:Invent Clock's ticking on Ellison's smack talk

Oh, Bucket! AWS in S3 status-checking tool free-for-all

'Your data is waiting for the internet to download it' warning lights are now free

Millions of scraped public social net profiles left in open AWS S3 box

Poorly configured cloud buckets strike again – this time, Localbox fingered

When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo

Passport scans, drivers licenses, etc, exposed online

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

AWS comes up with blanket policies to smother public-facing cloud silos

AWSome, S3 storage literally costs pennies

Just ignore the retrieval fees and relatively lower resilience

AWS users felt a great disturbance in the cloud, as S3 cried out in terror

S3izure made things tricky for an hour, but was no apocalypS3 to match March mess

When is a Barracuda not a Barracuda? When it's really AWS S3

Now you can replicate backups to Barracuda's actually-Amazonian cloud

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score

Tape vendors feel the cold, clammy hand of AWS on their shoulders. Behind them grins the Glacier Deep Archive

re:Invent Plus on-premises cloud, Windows file systems, and other bits and bytes