This week in 'Bungles in the AWS S3 Privacy Jungles', we present Alteryx – and 123 million households exposed
Dodged a bit of a bullet this time
Posted in Cloud, 21st December 2017 00:22 GMT
Yet another misconfigured Amazon-hosted cloud storage bucket has been discovered – this one flashing the personal information of roughly 123 million American households to anyone passing by on the internet.
The public-facing database belonged to analytics biz Alteryx, and its bungled security was discovered and reported by infosec outfit UpGuard.
The insecurely configured AWS S3 silo contained records Alteryx had obtained from credit-check company Experian and America's 2010 Census data. The census records are publicly available, whereas Experian's dataset is commercially but not publicly available.
All together, the S3 bucket contained "home addresses and contact information, to mortgage ownership and financial histories, to very specific analysis of purchasing behavior," according to UpGuard.
This personal data could, of course, have been potentially exploited by identity thieves and other fraudsters. The silo has since been locked down.
"While the Census data consists entirely of publicly accessible statistics and information, Experian’s ConsumerView marketing database, a product sold to other enterprises, contains a mix of public details and more sensitive data," explained UpGuard's Dan O'Sullivan on Wednesday.
"Taken together, the exposed data reveals billions of personally identifying details and data points about virtually every American household."
Chris Vickery, UpGuard researcher and renowned AWS S3 breach hunter, came across the vulnerable instance in early October, finding that Alteryx had changed the privacy settings on the S3 bucket to make the data viewable to anyone with an AWS account.
Once inside, Vickery found that the cloud-hosted repository contained a number of software development files as well as the data Alteryx relies on to operate its analytics services. This included a number of details lifted from Experian credit reports.
"While each of the tens of millions of rows represents a different US household, the 248 columns cross-indexed compiles each household’s known or modeled personal details, preferences, and behavior across a wide array of categories," said O'Sullivan. "With a total of over 3.5 billion fields to be filled with such data points, the index’s incredibly detailed level of insight is, ultimately, precisely what Experian claims to offer with its ConsumerView product."
The configuration cockup is yet another example of poor AWS management causing people's personal files to spill onto the internet.
Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning lightREAD MORE
The same problem was blamed for the exposure of nearly 200 million voters in the RNC's database, while the City of Chicago saw 1.8 million of its residents' details spaffed online by a wide-open S3 instance.
While AWS limits S3 access to authorized users by default, many companies opt for the more convenient route of setting the buckets to allow access to anyone with an AWS account.
"Simply put," says O'Sullivan, "one dummy sign-up for a [free] AWS account, using a freshly created email address, is all that was necessary to gain access to this bucket’s contents."
Alteryx, meanwhile, said it has taken steps to make sure similar IT missteps won't happen again.
"When we discovered this issue, we removed the file from AWS and also added a layer of additional security to the AWS bucket where the file was stored," said CEO Dean Stoecker.
"We will maintain a similar level of enhanced security for any dataset that we offer to our customers going forward." ®