Time Warner Hacked – AWS Config Exposes 4M Subscribers


What’s the latest on the web, Time Warner Hacked is what it’s about now as a bad AWS S3 config (once again) exposes the details of approximately 4 Million subscribers.

Time Warner Hacked - AWS Config Exposes 4M Subscribers


This follows not long after the Instagram API leaking user contact information and a few other recent leaks involving poorly secured Amazon AWS S3 buckets and I’d hazard a guess that it won’t be the last.

Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.


This is also not the first Data Leak to involve a poorly secured Amazon S3 bucket (to be fair, AWS IAM is pretty complex).

Still, that’s no excuse if your people can’t understand it – hire someone who can secure your buckets properly (per app, separate users for each). Too many dev teams just use the root account credentials for accessing everything which is the worse possible way to use S3.

“Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”

The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.

A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup and is notifying the customers who were exposed.

“Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them,” Charter said. “There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords.”

This Time Warner hack has exposed some pretty juicy information, thankfully no credit card details appear to have been leaked but everything else you need to social engineer an account is there, or even in a worse case scenario to hijack someone’s identity.

It’s also not really surprising to me that it’s been that way for some time (possibly even 7 years?) as by default S3 is publically accessible and if you don’t change it nothing will break so it’s very easily forgotten.

Source: The Register

Posted in: Hacking News

, , , ,


Latest Posts:


HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.


8 Responses to Time Warner Hacked – AWS Config Exposes 4M Subscribers

  1. engineer September 7, 2017 at 9:36 pm #

    By default S3 buckets are not public.

    • Darknet September 7, 2017 at 9:59 pm #

      They used to be IIRC, but I could be wrong, well I guess more accurately the easiest way to get access to it programmatically is just to set it to public.

    • Engineer S September 10, 2017 at 10:09 pm #

      Yes, it had to be configured to be open to the web.  This story is not really about AWS.  It’s about bad IT controls and careless engineering.

      I wouldn’t even call this a hack, if it’s left open to the public.

  2. Alan M September 8, 2017 at 8:15 am #

    Broadsoft was responsible for exposing the Time Warner Cable (TWC) data. Time Warner (TC) is an entirely separate entity (TC does NOT = TWC).

    • Darknet September 8, 2017 at 3:48 pm #

      Hey thanks for that clarification Alan.

  3. Tracie September 8, 2017 at 8:17 pm #

    Also time Warner cable is no longer TWC . it is now spectrum.

  4. Ryan Dymek September 8, 2017 at 8:29 pm #

    Buckets have zero access beyond the creator. “Easiest way to grant access is to make it public”… that same statement applies to a cisco firewall in an onprem enterprise. And allow any rule is simple but terribly wrong. IAM or bucket policies are no more complex than any enterprise grade firewall. Lets not excuse the behavior of the admin due to ignorance.

    • Darknet September 8, 2017 at 9:22 pm #

      Not excusing it, just saying it happens that way, same reason by MongoDB worked out of the box with no auth and listening on every interface. Not ideal, but a lot of things are done in the name of ease and speed of deployment rather than looking at it with an eye on risk and the repercussions.