Amazon Web Services DB Exposed

Security Checkers Security

Sales information of nearly eight million UK shoppers have been leaked online, a security researcher has found.

An online security researcher has discovered that the personal information of nearly eight million UK shoppers were exposed to the public-facing internet in February. Researcher Bob Diachenko, who discovered the unsecured MongoDB database residing on an Amazon Web Services (AWS) server, has since confirmed that the issue has been resolved five days after it was reported to the owner.

In a statement, Amazon said: “We were made aware of an issue with a third-party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon,”

“The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third-party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way.”

Among the data that were briefly exposed on the internet include shipping and email addresses, full names of customers and the last four digits of their credit card numbers. Experts warned that such information, when combined, could be enough for hackers to dupe customers through phishing emails.

Vinay Sridhara, CTO of Balbix, said that the issue could have been prevented. 

“Despite billions invested in security, enterprises are failing at the infosec equivalent of washing their hands,” he said.

“Since an organization can’t improve what it can’t measure, the starting point for a company to improve their cyber-hygiene is to inventory, categorize and measure the criticality of their assets. From there, basic resilience begins with identity, encryption and network segmentation.”