Verizon Hit by Another Amazon S3 Leak

Verizon’s cybersecurity strategy has been found wanting again after researchers found a trove of sensitive corporate data in a publicly accessible Amazon S3 bucket, which could have given attackers access to parts of its network.

The 100MB of data included information on the telecoms giant’s Distributed Vision Services (DVS) middleware, according to Kromtech Security.

“Although no customers data are involved in this data leak, we were able to see files and data named ‘VZ Confidential’ and ‘Verizon Confidential’, some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure,” explained chief security comms officer, Bob Diachenko.

“Another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain, again, with production logs, server architecture description, passwords and login credentials.”

Verizon took the database offline soon after being informed about it late last week.

However, the bucket appears to have been self-owned by a Verizon Wireless engineer and so wasn’t managed by the company itself, raising questions about security processes and policy at the firm.

That engineer apparently maintained that the exposed data was not confidential, a claim Kromtech is dubious about.

“An improperly configured S3 can lead to viewing, uploading, modifying, or deleting S3 objects by third parties. To prevent S3 data loss or exposure and unexpected charges on your AWS bill, you need to grant access only to trusted entities by implementing the appropriate access policies recommended in this conformity rule,” argued Kromtech VP of strategic alliances, Alex Kernishniuk.

“Brute force tools are already scanning all possible bucket names, analyzing configurations letter by letter and getting closer to your information every minute.”

The leak comes just a few months after human error at a third-party partner led to a leak involving personal and account data on as many as six million Verizon customers.

What’s Hot on Infosecurity Magazine?