A misconfigured Amazon (S3) Simple Storage Service bucket, managed by a Walmart jewelry partner, left personal details and contact information of 1.3 million customers exposed to the public internet.
The S3 repository containing a MSSQL database backup belongs to MBM Company, a Chicago, Ill.-based jewelry company that operates mainly under the name Limogés Jewelry.
The publicly accessible bucket, discovered Feb. 6 by Kromtech Security, contained personal information, including names, addresses, zip codes, phone numbers, e-mail addresses, IP addresses, and plain text passwords, for shopping accounts of over 1.3 million people throughout the US and Canada.
“The negligence of leaving a storage bucket open to the public after the publication of so many other vulnerable Amazon s3 buckets is simple ignorance. Furthermore, to store an unprotected database file containing sensitive customer data in it anywhere directly online is astonishing, and it is completely unfathomable that any company store passwords in plain text instead of encrypting them,” according to Kromtech Security’s report.
At first glance the data appeared to belong to Walmart as the storage bucket was named ‘walmartsql’, said Bob Diachenko, head of communications with Kromtech’s Security Team. However, upon further investigation by Kromtech researchers discovered that the MSSQL database backup actually belonged to MBM Company.
“Upon analyzing the content of bucket we’ve come to the conclusion that [these] were all MBM customers. However, it is unknown whether they’ve been accessing MBM inventory via Walmart platform (or other partner sites) or directly via Limogés Jewelry site,” said Diachenko.
Diachenko told Threatpost that there’s no evidence a malicious party has accessed the open bucket – for instance, no ransom notes were left behind as is sometimes the case in unprotected MongoDB or CouchDB databases.
However, he said, “that does not mean that nobody accessed the data.”
The backup was named MBMWEB_backup_2018_01_13_003008_2864410.bak, which indicates that it may have been public since January 13, 2018.
The database was also found to contain records for many other retailers other than MBM’s partner Walmart, including HSN, Amazon, Overstock, Sears, Kmart, and Target.
“It also contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders, which gives the appearance that this is the main customer database for MBM Company Inc. Records were seen with dates ranging from 2000 to early 2018,” according to the report.
Kromtech said its researchers notified Walmart of the public Amazon S3 bucket immediately upon discovery.
Walmart has since secured the storage bucket but was unable to comment on MBM Company. MBM Company was contacted by Kromtech, but hasn’t responded to repeated inquiries.
Amazon S3 buckets are notorious for being misconfigured by owners and leaking data.
In February, an erroneously configured Amazon S3 bucket managed by Paris marketing firm Octoly left contact information and personal details for more than 12,000 social media influencers. Back in July 2017, up to 14 million U.S.-based Verizon customers had their data exposed by a third-party partner, which misconfigured a repository storing the personal information it had access to.
These leaky servers trace back to common errors when it comes to setting up access controls for AWS S3 buckets, according to Detectify Labs.
Different misconfigurations of buckets depend on who owns the S3 bucket, what domain is being used to serve the files in the bucket, and what type of files are inside the bucket, according to a Detectify Labs’ report released in 2017.
“In general, I would describe the current state of affairs with publicly available s3 buckets as ‘alarming,’” Diachenko told Threatpost.
“Regardless of the sophisticated security procedures, there should be a basic safeguard routine in place. Sometimes all you have to do is to check if your main door is locked up,” he said.