Amazon S3 Users Exposing Sensitive Data, Study Finds


In addition, Rapid7 said it found more than 200,000 CSV files, which included personal information such as names, email addresses and phone numbers. CSV files are typically a plain text version of an Excel file used by administrators as an easy way to make tables without having a database, Beardsley said.

Organizations are also implementing password management wrong, storing passwords in plain text or with only one layer of encryption, which can be easily broken with a password cracker, Beardsley said.

Researchers have warned about the dangers of mistakenly exposing sensitive data on the service in the past. Two years ago, independent researcher and penetration tester Robin Wood published a tool, automating the process of crawling S3 and checking for enterprise-created public buckets and the information contained in them.

Beardsley said Rapid7 is working closely with Amazon to improve its documentation, address the configuration problems and limit the amount of exposed data. Amazon is also reaching out to firms that had sensitive data identified in the Rapid7 study, Beardsley said.

PUBLISHED, MARCH 27