Amazon cloud databases expose user data, study finds


Amazon’s popular cloud-based data storage feature is exposing sensitive information, including names, dates of birth, and marital status, according to fresh research from cyber analyst Mitiga.

The Amazon Relational Database Service (RDS) was recently lauded by the tech giant’s cloud platform AWS for its “cutting-edge technologies” that had allowed it to enjoy “incredible growth” as traffic boosted 40% year on year.

ADVERTISEMENT

But when Mitiga took a closer look behind the scenes, it found that seemingly routine updates of the RDS architecture were leaving users’ personally identifying information (PII) exposed for up to one month, possibly longer.

The PII observed by Mitiga included private text conversations on dating apps, company employee details, and individual user names, addresses, and emails.

Given that a survey cited by the research firm found that the Amazon RDS service is increasingly popular with retail, media, publishing, and advertising companies, the vulnerability could have quite an impact on public cyber-safety.

Mitiga zeroed in on database “snapshots” as the source of the vulnerability – with the routine updates causing data leaks that it said could be exploited in the wild by threat actors.

“An RDS snapshot is an intuitive feature that helps you to back up your database [or] allows a user to share public data or a template database to an application,” said Mitiga, adding that it could also be used to share data with colleagues for brief periods of time.

“Leaked snapshots might potentially be a very valuable asset for a threat actor,” it added. “This can be either during the reconnaissance phase of the cyber kill chain or used for extortion or ransomware campaigns.”

Exposed database showing marital status and names
Exposed database showing marital status and names

Keyword clues

ADVERTISEMENT

Mitiga scrutinized Amazon RDS databases for a research period of one month, between September 21 and October 20.

The first highlighted in its report was exposed throughout the entire time, allowing the cyber analyst to observe details pertaining to a car rental company, including vehicle and customer details, as well as delivery dates. Customers’ first and last names, phone numbers, email addresses, and even marital statuses were also visible.

Another database was exposed for just four hours, but revealed similar PII of online dating service clients, including date of birth and private messages, while a third – also exposed for the whole month – appeared to reveal data belonging to telephone service applicants.

Of the 2,783 snapshots observed by Mitiga, it is thought that 810 were exposed for the entire month, with another 1,859 being viewable for no more than two days.

Mitiga insists this is a “worldwide phenomenon” – with Amazon RDS exposures detected not only in North and South America, but in the Asia-Pacific and European regions as well.

The cyber-analyst reached its findings by filtering out databases likely not to contain PII, for instance, those that appeared under keyword searches such as “public” or “test.” But when it focused on those using far more promising words in their titles – for instance, “password,” “card,” “credit,” or “secret” – it found a bonanza of sensitive information.

Exposed database showing telephone service applicant details
Exposed database showing telephone service applicant details

Database danger

And even companies that don’t store PII on their Amazon databases should be worried by Mitiga’s findings, the research company insists.

“Let’s assume you are very responsible and there is no way you go and expose a database with PII publicly, not even for one second,” it said. “Is there anything else you need to worry about when you expose your snapshot to anyone? The answer is yes.”

ADVERTISEMENT

It added: “Today, there is no native way to correlate between account ID and the company that owns this account. It’s not an official secret, but AWS doesn’t publish a big table with this correlation, and not without a reason – threat actors in many situations will pay a lot for this.”

But Mitiga was able to make the connection between account IDs seen on exposed databases and the companies that owned them because closer scrutiny of snapshot metadata revealed vital clues such as employee names, who could then be cross-referenced with their employers on LinkedIn.

While acknowledging that its research methods were “a little creepy,” Mitiga pointed out that enterprising threat actors would be only too ready to use such to get the information they need.

“If the attacker had a way to find out the company based on account ID, they could commit their precious blackmail and get a lot of money,” it added.