A company that provides secure cloud storage services has exposed over a quarter of a million private files uploaded by its customers.
Data Deposit Box left a database containing over 270,000 customer files on an unsecured Amazon S3 bucket. As a result of the breach, data including personally identifiable information (PII) belonging to Data Deposit Box customers was exposed.
The open bucket was discovered on Christmas Day, 2019, by a Vpnmentor research team led by cybersecurity analysts Noam Rotem and Ran Locar.
Inside the unsecured cloud storage device, researchers discovered a database packed with thousands of files dating from 2016 to December 25, 2019. Researchers were able to view private user data, including admin usernames and unencrypted passwords in plain text.
Researchers were also able to access IP addresses, email addresses, and GUIDs (globally unique identifiers for resources).
In a report on the breach published March 25, Vpnmentor researchers wrote: "In this case, we identified Data Deposit Box as the owner of the database. Before publishing this report, we reached out to the company to share our findings and provide guidance on how to resolve the issue."
Data Deposit Box was contacted regarding the breach on December 20, 2019. By January 6, the database on the open bucket had been secured.
Researchers warned that the breach could have dire consequences.
"The unencrypted usernames and passwords exposed in this breach may allow malicious parties to access Data Deposit Box’s customers’ accounts," wrote researchers.
"We didn’t log into any users’ accounts for ethical reasons, but we could’ve easily done so. The bad news is that if we’re able to do this, hackers could do it too."
Data Deposit Box is a public company based in Canada that claims to offer a "top rated secure cloud backup storage service for small businesses" that is "100% secure." The company's business model allows customers to continuously back up an unlimited number of devices to their accounts through the company’s app and web portal.
Data Deposit Box has over 350,000 users and 200 partners spread across 53 countries. On February 6, the company entered into an agreement to be acquired by HostPapa Inc..