---
title: From the Outside In - How I Uncovered the Cybersecurity Failures of Thousands of Companies
date: 2023-10-15
author: Josephine Pfeiffer
tags: [security, cloud, aws, azure, google-cloud, data-breach, s3-buckets]
description: An exploration of how thousands of companies leave sensitive data exposed in public cloud storage buckets
---

# From the Outside In: How I Uncovered the Cybersecurity Failures of Thousands of Companies (and you can too!)

> **Disclaimer**: The author has contacted the affected companies mentioned in this post, provided instructions on how to remedy the outlined weakness, and deleted all sensitive files from personal devices. None of the companies replied.

In today's digital age, companies are increasingly relying on technology to store sensitive information such as customer data, financial records, medical records, login credentials, and personal communication. Unfortunately, many businesses are failing to properly secure this information, leaving it vulnerable to cyber-attacks and data breaches.

## Leaving the Door Wide Open

It is common to store sensitive information such as infrastructure-as-code state or secret variable files using object storage services such as AWS S3, Google Cloud Storage, etc.

However, to secure these files, permissions need to be set up properly (e.g. by restricting access using IAM roles and fine-grained permissions).

As it turns out, thousands of companies don't do this and leave sensitive data publicly accessible.

## Real-World Examples of Sensitive Data Exposed to the Public

![Public Cloud Storage Vulnerabilities - An illustration showing unsecured buckets and leaked data](/blog/images/cloud-vulnerabilities.png)

Using some basic scripting, I was able to scan hundreds of thousands of public s3 buckets for *.tfstate files, which can contain the definitions for cloud resources and store sensitive data such as database passwords, IP allow-lists, full certificates, API keys, and more. I did the same for some other filename patterns such as production.env, prod.yaml, etc.

In total, I scanned through over:
- 308k AWS S3 buckets
- 95k Azure Blob Storage buckets
- 107k Google Cloud Storage buckets

Within minutes, I could freely look through production secrets for thousands of large international companies.

To illustrate the extent of this issue, I will share some specific examples:

### An international digital healthcare company from MENA

Stored a production.env file in a publicly accessible S3 bucket. The file contained API keys and admin credentials to a CRM, patient database, and other internal systems.

### A US lottery company

Directly stored customer and transaction data as .csv files in a publicly accessible S3 bucket.

The same bucket contained .tfstate files for all environments containing database credentials, TLS certificates, encryption keys, and sensitive networking configuration.

### A real-time market data API provider

Stored a Dockerfile containing plaintext secrets in a publicly accessible S3 bucket.

### A Web3 software development agency

Stored Kubernetes secrets in a publicly accessible S3 bucket. The base64 encoded secrets included database, passwords, wallet privates keys, and JWT tokens.

These are just some examples, the list goes on and on…

## The Consequences of Poor Cybersecurity for Businesses and Customers

When businesses neglect cybersecurity, they not only put their own sensitive information at risk, but also the personal and financial information of their customers.

During my research, I found private keys for crypto wallets, which can result in direct financial loss for a business and its customers.

Breaches of personal data can also result in significant fines for the companies for non-compliance with data protection regulations as well as damage in terms of trust and public perception.

The most concerning consequence is that it can take a long time for a business or an individual to realize they've been hacked, and by that time the damage has already been done. The fact that sensitive information is floating around on the public internet has been more or less known for a long time but companies are still ignorant about the extent of this issue.

## Further Reading

![Cloud Security Resources - A collection of recommended reading materials](/blog/images/cloud-security-resources.png)

- [AWS S3 Security Best Practices](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)
- [Google Cloud Storage Security](https://cloud.google.com/storage/docs/best-practices)
- [Azure Blob Storage Security Guide](https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations)
- [OWASP Cloud Security Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cloud_Security_Cheat_Sheet.html)