Consulting giant Accenture has become the latest big name found to be responsible for serious security failings after it exposed a trove of sensitive data in unsecured Amazon S3 buckets.
The firm left at least four cloud-based storage servers publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information and other data that could have been used to attack Accenture and its clients.
Noted researcher Chris Vickery discovered the S3 buckets configured for public access, which means they could have been downloaded by anyone who entered the relevant web addresses into their internet browser.
One of the servers included 40,000 plain text passwords, possibly for Accenture clients, explained UpGuard cyber resilience analyst, Dan O’Sullivan.
Another contained internal access keys and credentials for use by the Identity API used to authenticate credentials, and the master access keys for Accenture’s account with the AWS Key Management Service, “exposing an unknown number of credentials to malicious use.”
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” argued O’Sullivan.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”
Accenture is by no means the first company to be found out like this. UpGuard and Kromtech Security have uncovered poor security practice at a number of big-name firms over recent months.
Just this week healthcare provider Patient Home Monitoring was found to have exposed sensitive medical data on 150,000 Americans via a misconfigured Amazon S3 repository.
Others found wanting include Verizon, Dow Jones, Viacom and the US Department of Defense.