In yet another example of how unsecured cloud databases are rendering personal data belonging to millions of people exposed to criminals, an unsecured cloud storage repository that contained sensitive information belonging to personal and business data search service LocalBlox was left exposed to the public not only because of a lack of password protection but also because it was publicly downloadable and configured for access via the internet.
According to security researchers ar UpGuard who discovered the publicly-exposed repository, it contained "48 million records of detailed personal information on tens of millions of individuals, gathered and scraped from popular social media platforms.
Not only details, but also complete profiles of people
The personally identifiable information of millions of people included names, physical addresses and dates of birth scraped from social media platforms such as LinkedIn, Facebook, and Twitter. The exposed records also contained details about internet usage of people and created profiles based on who they were, what they talked about, what they liked, even what they did for a living.
The said repository was an unprotected Amazon S3 storage bucket and contained 151.3 GB compressed file, which, after being decompressed, revealed a 1.2 TB database containing all these details. The repository was secured a day after LocalBlox was informed about the exposure by UpoGuard researchers.
"This data highlights the ease with which Facebook data can be scraped, and the ubiquity of Facebook information in psychographic datasets. According to their website, “LocalBlox is the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles – at scale.
"The exposed data wasn’t just a customer list, but the very product LocalBlox offers. Their value statements about the power of their data provide some insight into exactly why exposing such data is extremely dangerous," the security firm noted.
"The presence of scraped data from social media sites like Facebook also highlights an important fact: all too often, data held by widely used websites can be targeted by unknown third parties seeking to monetize this information.
"In such cases, both a targeted website like Facebook and any affected users are being victimized, as personal information entrusted to the social network is snatched up for the benefit of a platform of which no one is aware," it added, thereby revealing that Cambridge Analytica isn't the only firm actively harvesting sensitive data from Facebook or other social media platforms.
"Whilst this data breach has strong similarities to multiple other AWS misconfiguration issues that resulted in data breaches, and the data was “publicly available”, the data captured was interesting in that it consolidated personal information scraped from thousands of web sites," says Christopher Littlejohns, EMEA engineer at Synopsys.
"The net result is that it made it easy for an attacker to gain access to a pool of data that would be valuable for subsequent social engineering attacks, account hacking and identity fraud. Any company that collects, consolidates, but does not adequately secure such data is essentially exposing people to higher risk of being targeted.
"They therefore have an even stronger duty of care as they are effectively creating developed intelligence on people that can be used for criminal purposes," he adds.
Cloud services still not secure enough
Even though cloud storage services offer enhanced efficiency and security, a large number of repositories have been, in the past few years, found to be unsecured or configured for public access, thereby making it easy for cyber criminals to gain access to data belonging to millions of people without putting in much effort.
Back in February, personal details of over 12,000 popular Instagram, Twitter, and YouTube personalities were exposed after Octoly, a Paris-based brand marketing company, failed to secure a cloud repository that contained a backup of enterprise IT operations as well as their sensitive information. The exposed details included real names, addresses, phone numbers, email addresses, birth dates, usernames for online accounts and hashed passwords which if decrypted, could lead to password reuse attacks.
In September last year, global media corporation Viacom came within inches of an unprecedented data breach after a server misconfiguration exposed the company's entire IT infrastructure on an unsecured Amazon cloud server. Paramount Pictures, as well as hundreds of television channels including MTV, Comedy Central, VH1 and Nickelodeon, could have lost control of their vast IT infrastructure had cyber criminals stumbled upon the unsecured web server before a team of alert cyber security experts did.