An open Amazon S3 bucket owned by Data Deposit Box has exposed the personally identifiable information (PII) of its customers.
Ironically, Data Deposit Box is a company offering secure cloud backup storage services to small businesses and individuals. The Canada-based company has over 350,000 users across 84 countries.
Discovered by the vpnMentor research team on Christmas day last year, the unsecured Amazon S3 bucket exposed over 270,000 files, with many files dating back to 2016.
Leaked information included private user data such as admin login credentials, IP addresses, email addresses and GUIDs (globally unique identifiers for resources).
Shockingly, researchers were able to view users’ login credentials in plain text, in addition to being able to view information about users’ stored files such as file name, type, size, the date last modified, and the file path on the user’s local disk.
Data Deposit Box was contacted five days after the discovery, and the Canada-based company responded by securing the database on January 6, 2020.
“The unencrypted usernames and passwords exposed in this breach may allow malicious parties to access Data Deposit Box’s customers’ accounts. We didn’t log into any users’ accounts for ethical reasons, but we could’ve easily done so. The bad news is that if we’re able to do this, hackers could do it too,” vpnMentor explained.
On its website, Data Deposit Box offers two-factor authentication, however some hackers may be able to bypass this by accessing email accounts or even hijacking phone numbers.
Once a hacker successfully gains access to a user’s account, they would have access to all the files stored by that user.
Hacked could also use the leaked information for launching phishing attacks and scams in order to obtain more sensitive information.
“When customers sign up for Data Deposit Box’s secure cloud storage service, the company promises to protect your files and accounts with robust encryption. The fact that we were able to view unencrypted passwords, file names, and other sensitive data means best practices weren’t being followed.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.