A Hole in the Bucket: Data Leak Incidents Caused by Amazon S3 Misconfigurations

Seductively Simple: Amazon's Simple Storage Service

This happens particularly easily in Amazon S3, the Simple Storage Service. As the name suggests, this is actually nothing more than data storage in the cloud. It is organized in so-called buckets. A bucket is a container for the objects that are stored there, such as files.

Unlike on-premises (local) data storage, data in Amazon S3 is accessible from anywhere, independent of location. In addition, a huge corporation like Amazon can secure its data centers better than most companies on site: in a smaller company even an incident such as a break-in or flood can lead to data loss, but it takes much more serious disasters to put data availability at Amazon at risk.

Amazon also offers various so-called tiers for S3: these are graduated classes of service that a company can select according to how often, how quickly and how reliably it needs access to the data stored in the buckets. This provides additional efficiency: data that needs to be accessed particularly quickly is kept in the S3 standard tier. If the customer already knows that data needs to be accessed infrequently - for archiving purposes, for example - a less expensive tier can be chosen. And there is even the option of having this optimized by Amazon itself: In so-called Intelligent Tiering, machine learning is used to automatically move objects between standard and a less expensive tier, depending on previous access patterns. 

S3 Bucket Misconfigurations: Leak After Leak After Leak

All these seductive features of S3 have been the undoing of some companies in the past: They have used S3 too carelessly and thus experienced enormous, even existence-threatening difficulties. Amazon has repeatedly improved its security settings for S3 in order to protect customers from themselves, i.e. from accidental misconfigurations. But there are limits to this if the service is to remain as "simple" as the name promises.

Here is a quick overview of S3 data leaks over the past few years. This is not a complete list - and the number of unreported cases is high, as many companies manage to keep their mishaps out of the press.

S3 Data Leaks: Prominent Examples

• Booz Allen Hamilton: In May 2017, it became public that the well-known consulting firm Booz Allen Hamilton had exposed confidential data due to a misconfigured S3 bucket.
  Particularly explosive: since Booz Allen Hamilton also worked for the U.S. Department of Defense, secret documents from this agency were also compromised.
  
  
• Verizon: In June 2017, an IT security firm discovered that the names, phone numbers and other personal data - in some cases even PINs - of customers of the U.S. telephone company Verizon were publicly accessible. The leak was reported to the company on June 13 and closed on June 22.
  
  
• Accenture: In September 2017, it was revealed that Accenture, one of the world's largest consulting firms, had made 1.1 TB of data publicly available. This included data on registered voters.
  
  

• Uber: In November 2017, media reported that Uber had made publicly accessible the personal data of 57 million passengers worldwide and about 600,000 U.S. drivers - again due to misconfigured S3 buckets. The data leak had happened the year before, when controversial Uber CEO Travis Kalanick had still been in office, but only became known in 2017.
  
  

• GoDaddy: In 2018, while no sensitive personal data of customers was leaked through a publicly accessible S3 bucket, trade secrets of webhosting provider GoDaddy were: these included details of configurations of deployments on AWS and pricing models for their customers.
  
  
• Facebook: The data of 540 million Facebook users was compromised in March 2019 through misconfigured S3 buckets from two third-party apps. What is interesting about this is that one of the two third-party providers had ceased to do business years ago, but its S3 bucket was still languishing unprotected on the network.
  
  
• Capital One: In 2019, the bank Capital One suffered a data leak caused by a misconfigured S3 bucket, in which attackers stole personal information from about 100 million U.S. and 6 million Canadian customers. Specifically, it involved customers who were credit card customers or had applied for a credit card between 2005 and 2019.
  
  
• MGM Resorts: In mid-2019, the personal data including names, home addresses, phone numbers and email addresses of more than 10 million guests of the MGM Resorts hotel chain surfaced on a Darknet forum. The data leak, as later became known, had already existed since 2018. Reason here, too: faulty configuration of an S3 bucket.
  
  
• Delivery Hero: In 2020, a data leak from Foodora, a subsidiary of Delivery Hero, became public - also in a Darknet forum. Affected were 727,000 customers from 14 countries, including Germany, and data collected since 2016.
  
  
• Upstox: In 2021, a data leak occurred at the Indian broker Upstox due to a misconfigured S3 bucket. Exposed here was personal customer data including the Aadhaar, the personal identification number of every Indian citizen with the Unique Identification Authority of India (UIDAI).
  
  
• Pegasus Airlines: In the spring of 2022, the Turkish airline accidentally disclosed 6.5 TB of data, including personal data of employees, flight schedules, navigation data and even files containing unencrypted access data and passwords.

Closing S3 Security Holes Easily

Vulnerabilities like these can severely damage your company‘s reputation and customers‘, employees‘ and the public’s trust in you - perhaps irreparably. And the likelihood of misconfigurations being detected by others is increasing: There are now numerous publicly available tools that security researchers, as well as malicious attackers, can use to discover open S3 buckets on the web within seconds.

But data leaks in S3 are among the easiest security holes to close. There is virtually no reason to expose yourself to the risk of a misconfigured S3 bucket. The same goes for other configuration errors that can affect your organization's security in AWS: security is easier than you think.