Attunity, an Israeli IT firm that provides data management, warehousing, and replication services for the world’s biggest companies, has exposed some of its customers’ data after it left three Amazon S3 buckets exposed on the internet without a password.
The AWS S3 buckets contained information on Attunity’s own operations, but also data from some of its customers — Fortune 100 companies like Ford, Netflix, and TD Bank.
The S3 buckets were found on May 13, and secured three days later, thanks to the work of data breach hunting firm UpGuard.
The exposed information included backups of employees’ OneDrive accounts; email correspondence; system passwords; private keys for production systems; sales and marketing contact information; project specifications; employee personal data; and more.
For example, UpGuard researchers found usernames and passwords for Netflix production database systems, TD Bank invoices for internal software employees were using, and various Ford internal project files.
Other information included email correspondence between employees at unnamed companies, containing passwords for work accounts or production systems.
Backup files also contained troves of private keys and passwords for companies’ internal networks.
Besides Netflix, Attunity itself was one of the companies that had its credentials for internal systems exposed, meaning the leaky S3 server could have served as a springboard for a bigger hack into Attunity’s network.
“System credentials can be found in a number of places in the Attunity data set and serve as a useful reminder of how that information might be stored in many places across an organization’s digital assets,” UpGuard researchers said in a report published yesterday.
It goes without saying that the leak was massive due to the potential ramifications, providing useful information that could have led to intrusions at some of the world’s biggest companies. And Attunity has a who’s who list of customers, according to its website.
Besides data on companies’ IT systems, the S3 buckets also contained files storing employees’ personal data. Attunity was one of the companies that exposed its employees’ data, UpGuard said.
But UpGuard researchers said this was only scratching the surface in the 1TB sample data they downloaded from the exposed Attunity S3 buckets, and the leaky servers probably contained a lot more.
In an email to ZDNet, Qlik, the company who recently acquired Attunity, said it was still investigating the extent of the exposed data and that it had taken all measures to secure the leaky S3 buckets since the report.
“We are still in the process of conducting a thorough investigation into the issue and have engaged outside security firms to conduct independent security evaluations. We take this matter seriously and are committed to concluding this investigation as soon as possible,” a Qlik spokesperson told ZDNet. “At this point in the investigation, indications are that the only external access to data was by the security firm that contacted us.”