Emmys data leak: update exposes access to award submissions
Emmy.tv, the official platform for watching the Emmys, left access keys publicly accessible, exposing access to its cloud storage instances. Everything from access to buckets containing Slack and Jira files to internal databases was left accessible ahead of the award season.
-
Emmy.tv accidentally published AWS credentials in public HTML code accessible to anyone visiting the website.
-
The leak exposed cloud storage buckets containing Slack, Jira, Zoom files, databases, and Emmy award submissions.
-
Exposed credentials granted potential access to sensitive user data and internal communications for days.
-
The security flaw resulted from a single set of credentials accessing multiple services, creating one point of failure.
In early April, our research team received an anonymous tip about a massive security mishap plaguing Emmy.tv. According to the anonymous researcher, the official platform of the National Academy of Television Arts & Sciences (NATAS) pushed an update that, in essence, left the platform completely open to anyone.
“The leaked credentials could have allowed access to an extensive list of sensitive resources, including user databases and internal communications and task tracking tools,” our researchers explained.
“Such deep-rooted access could then be used for lateral movement, creation of unauthorized accounts, which could be used for phishing, or to manipulate contest results.”
Emmy.tv is used by numerous users to watch the Emmy Awards, access archived ceremonies, winter interviews, and other content. The Emmys are among the most prestigious awards in the television industry.
We have reached out to Emmy.tv for comment and will update this article once we receive a reply.
How did the Emmys data leak happen?
Our researchers believe Emmy.tv exposed Amazon Web Service (AWS) credentials after a platform update. While we can’t be 100% sure, in most cases like this, human error is the main culprit.
According to the team, the credentials were published as part of the publicly accessible HTML code that all browsers download when accessing websites.
According to information provided by the anonymous tipper, leaked credentials exposed a list of the cloud storage buckets that are used in production for sensitive resources used by Emmys. The list of exposed buckets included numerous sensitive services, such as Slack, Jira, Zoom, and Emmys emails.
Other exposed infrastructure included Emmys Android, FireTV, iOS, and Roku apps, as well as multiple internal databases.
“The bucket specified next to the AWS credentials wasn’t even access-protected and hosted member submissions to the Emmys, including trailers and scripts,” the team explained.
The Cybernews research team verified the claims of the anonymous researcher, but we did not use the leaked credentials to access any of the exposed services. After receiving the tip, our team checked and also saw exposed credentials.
Moreover, Cybernews researchers reviewed the list of resources sent by the anonymous researcher and found that some required no credentials to access.
The team contacted Emmys, and as of May 6th, the credentials were no longer exposed.
Check if your data has been leaked
Emmys single point of failure
However, if less high-minded individuals managed to catch the exposed data, its implications could be serious. With access to everything, from internal communications on Slack and Zoom to email communications and workflow planning, there’s little that skilled attackers couldn’t do.
The team noted that a credential leak may have enabled access to protected, sensitive resources, including databases containing personal user data and sensitive internal communications.
To make matters worse, the web is flooded with automated bots looking for similar mistakes, and accessing a brand's internal dealings, especially one as recognizable as the Emmys, would be a valuable commodity on the dark web.
“The leak is a stark reminder of the importance of resource segmentation – in this case, a majority of the Emmys internal resources could have been accessed without permission with a single leaked set of credentials,” our researchers explained.
The team also noted that it’s always a good idea to maintain a different set of credentials for different services to avoid a single point of failure.
“In this case, the credentials were provided to the client in order to access a cloud storage bucket that didn't even require these credentials, likely due to another misconfiguration when setting up the bucket,” the team said.
In other words, the exposed credentials were sent to every browser attempting to access the website, along with instructions on which buckets could be accessed with them. Ironically, though, the buckets didn’t require credentials to access them in the first place.
Disclosure timeline
- Leak discovered (via an anonymous tip): April 9th, 2026
- Initial disclosure: April 13th, 2026
- Issue observed fixed: May 6th, 2026
Unlock more exclusive Cybernews content on YouTube.
