A software tool was used to manage and interpret data fromevery aspect of the companys operations.
But rare are these times.
Most often, we need days of investigation before we understand whats at stake or whos exposing the data.
Understanding a breach and its potential impact takes careful attention and time.
We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact.
So, we need to be thorough andmake sure everything we find is correct and accurate.
We initiallycontacted the company we assumed was the owner of the bucket.
As they didnt get back to us,we contacted AWS directlyto notify it of the breach.
AWS often notifies users of breaches and misconfigurations when we are unsuccessful in doing so.
Meanwhile, we continued investigating the S3 bucket to confirm some additional details.
The breach was closed about a month after this.
However,the PII data could still be used to compromise the security and safety of the people affected.
Voice recordings and videos in Portuguese apparently belonging to Prisma Promotera were exposed by the bucket misconfiguration.
While much smaller than the bucket, the SQL database also contained highly sensitive data.
We estimatethe SQL backup contained over 500,000 files, each containing various forms of additional PII data.
Some entries also appeared to contain login credentials for accounts on the app.
Data Breach Impact
The exposed files and databases compromised the security of 10,000s of people.
Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
To learn about data vulnerabilities in general,read ourcomplete guide to online privacy.
It shows you the many ways cybercriminals target internet users and the steps you could take to stay safe.
Our researchers use large-scale web scanners to search for unsecured data stores containing information that shouldnt be exposed.
They then examine each data store for any data being leaked.
Our team was able to access this S3 bucket because it was completely unsecured and unencrypted.
As ethical hackers,were obliged to inform a company when we discover flaws in their online security.
The purpose of this web mapping project is to helpmake the internet safer for all users.
Only the database owner has access to that information.
We never sell, store, or expose any information we encounter during our security research.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.
You may also want to read ourVPN Leak Report and Data Privacy Stats Report.
Help Us Protect The Internet!
