Another day, another misconfigured database leaking sensitive customer data to the wider internet.
This time, the perpetrator is none other than Amazon, as per reports TechCrunch (opens in new tab)cybersecurity researcher Anurag Sen recently discovered a large Amazon database, without any password protection, available to anyone who knows where to look.
Using Shodan, a search engine for things related to the Internet, Sen discovered the database called Sauron and found it full of Amazon Prime viewing habits.
Deployment error
In total, the database contains around 215 million records of pseudonymised viewing data – meaning that while there is plenty of data on specific customers to learn about their viewing habits, it is virtually impossible to link these accounts to actual identities. Sauron contains things like movie/series name, device used to stream the content, network quality, customer subscription plan, etc.
The database was reportedly first exposed in late September 2022, after which Amazon was alerted and removed the system from the wider network.
“There was an error deploying with Prime Video Analytics Server. This issue has been resolved and no account information (including login or payment information) has been disclosed. This was not an AWS problem; AWS is secure by default and performs as designed,” TechCrunch quoted Amazon spokesman Adam Montgomery.
Cloud misconfigurations are nothing new, and researchers have warned for years that this human error is a major cause of data breaches. In fact, a 2021 IBM report claimed that 19% of data breaches occur because IT teams fail to properly protect the assets found in their cloud infrastructure. The company surveyed more than 500 organizations that suffered a data breach for the report and learned that for half (52 percent), protecting data stored in the public cloud remains a challenge.
Additionally, a 2020 Accurics report claimed that “almost all” cloud storage (opens in new tab) deployments are misconfigured.
https://www.techradar.com/news/an-amazon-prime-video-server-packed-with-viewer-data-was-exposed-online/