What’s the latest on the web, Time Warner Hacked is what it’s about now as a bad AWS S3 config (once again) exposes the details of approximately 4 Million subscribers.
This follows not long after the Instagram API leaking user contact information and a few other recent leaks involving poorly secured Amazon AWS S3 buckets and I’d hazard a guess that it won’t be the last.
Records of roughly four million Time Warner Cable customers in the US were exposed to the public internet after a contractor failed to properly secure an Amazon cloud database.
Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.
Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.
When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.
“It is most likely that they were forgotten by engineers and never closed the public configuration. This would allow anyone with an internet connection to access extremely sensitive documents,” Kromtech’s Bob Diachenko said.
This is also not the first Data Leak to involve a poorly secured Amazon S3 bucket (to be fair, AWS IAM is pretty complex).
Still, that’s no excuse if your people can’t understand it – hire someone who can secure your buckets properly (per app, separate users for each). Too many dev teams just use the root account credentials for accessing everything which is the worse possible way to use S3.
“Not only could they access the documents, but any ‘authenticated users’ could have downloaded the data from the URL or using other applications. With no security in place, just a simple anonymous login would work.”
The researchers found that the database included information on four million TWC customers collected between November 26, 2010 and July 7, 2017. The exposed data included customer billing addresses, phone numbers, usernames, MAC addresses, modem hardware serial numbers, account numbers, and details about the service settings and options for the accounts.
A spokesperson for TWC parent company Charter said the telly giant was aware of the cockup and is notifying the customers who were exposed.
“Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them,” Charter said. “There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords.”
This Time Warner hack has exposed some pretty juicy information, thankfully no credit card details appear to have been leaked but everything else you need to social engineer an account is there, or even in a worse case scenario to hijack someone’s identity.
It’s also not really surprising to me that it’s been that way for some time (possibly even 7 years?) as by default S3 is publically accessible and if you don’t change it nothing will break so it’s very easily forgotten.
Source: The Register