Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet

Exposed: Intimate... personal details belonging to thousands of folks

Shaun Nichols in San Francisco Wed 15 Jan 2020  //  23:54 UTC

A pair of misconfigured cloud-hosted file silos have left thousands of peoples' sensitive info sitting on the open internet.

Despite attempts by Amazon to encourage its customers to be more careful, there are plenty of IT administrators and developers who are still not getting it. The latest demonstration of this comes from eggheads at VPNmentor, who this week said they found two open AWS S3 buckets, one belonging to a UK consulting firm and another run by an adult webcam host.

The first leaky system was a poorly configured AWS S3 storage bucket linked to UK consulting firm CHS. It included passport scans, tax documents, background check paperwork, criminal records, and expense and benefit forms detailing several thousand business consultants working for CHS and other firms in Blighty from 2011 through 2015.

"Given the nature of the files contained within the database, the information exposed is still relevant and could be used in many ways," VPNmentor says.

"These documents contained a wide range of Personally Identifiable Information (PII) data for 1,000s of British residents and working professionals."

VPNmentor says the data silo was taken down in December after it alerted CERT-UK to the matter. CHS could not be reached, the researchers said.

Sex workers' secrets exposed

The second info trove the team uncovered puts the "exposure" in data exposure. That instance, also a misconfigured S3 bucket, contained nearly 20GB belonging to the subtly-named adult cam network PussyCash.

According to VPNmentor's crew, within that archive was 875,000 records containing the personal information of 4,000 of the site's saucy performers. These include scans of documents that prove the model's age, things like ID cards, birth certificates, and passport scans. Also included were performer release forms and profile information.

Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's AWS S3 buckets got hacked?

READ MORE

This is particularly bad given the sensitive nature of the work and the need to maintain the personal privacy and safety of the X-rated web stars. There is also the risk that, as the records from virtually every occupied part of the world, that LGBTQ+ performers in some areas could be at risk of persecution.

"There are at least 875,000 keys, which represent different file types, including videos, marketing materials, photographs, clips and screenshots of video chats, and zip files. Within each zip folder – and there is apparently one zip folder per model – there are often multiple additional files (e.g. photographs and scans of documents), and many additional items that we chose not to investigate," the VPNmentor team explained.

"The folders included could be up to 15-20 years old, but are also as recent as the last few weeks. Even for older files, given the nature of the data, it is still relevant and of equal impact as newly added files."

The database was taken offline on January 9, we're told. ®
Send us news
17 Comments

UK govt office admits ability to negotiate billions in cloud spending curbed by vendor lock-in

After slew of AWS deals signed under MoUs, CDDO says current approach might weaken its position

AWS severs connection with several hundred staff

'Necessary,' 'focusing our efforts,' 'deliver maximum impact' ... sounds just like all the other tech layoffs lately

Amazon to lure upstarts with $500K in AWS AI credits each

Come on in, drill into Anthropic and Mistral – that's not the sound of a door slamming shut behind you

Amazon finishes pumping $4B into AI darling Anthropic

Adds $2.75B to the ML sweepstakes ante and is counting on Claude

Stability AI reportedly ran out of cash to pay its bills for rented cloudy GPUs

Generative AI darling was on track to pay $99M on compute to generate just $11M in revenues

Microsoft hiring Inflection team triggers interest from EU's antitrust chief

All sorts of levers being pulled to lure AI developers from here, there, everywhere

EU antitrust cops probe Microsoft ties between Entra ID and 365 services

Google claims rival has made an 'art and science' out of licensing

Linux 6.9 will be the first to top ten million Git objects

For now, have Linux 6.8, which Linus Torvalds could find no reason to delay

Amazon bends to Euro watchdogs, waives egress fees for folks ditching AWS

Now the pressure is on for Microsoft to stop holding user data hostage

Amazon goes nuclear, acquires Cumulus Data's atomic datacenters for $650M

E-commerce giant on the hook for 480MW of power from Susquehanna plant

Companies flush money down the drain with overfed Kubernetes cloud clusters

Just 13% of provisioned CPUs, 20% of memory utilized, study finds

Nutanix doesn't expect a rush of VMware refugees – maybe for years

Beats guidance as renewals grow and waits for Broadcom and Cisco to bring more bucks