Amazon Web Services (AWS) Data Breaches: Full Timeline Through 2023

The most recent known Amazon Web Services (AWS) breach happened in May 2022, when a security firm identified over 6.5 terabytes of exposed information on servers belonging to Pegasus Airlines. As of October 2023, we have found no AWS breaches since that incident.

Below, we’ll dig into a full timeline of AWS breaches, starting with the most recent. For breaches directly involving Amazon itself, see our article on Amazon data breaches.

June 2022: Former AWS Employee Convicted for Capital One Breach

In June 2022, former AWS employee Paige Thompson was convicted for her role in the 2019 Capital One breach. While working for Amazon, Thompson exploited her knowledge of cloud server vulnerabilities at Capital One and more than 30 other companies. All told, Thompson stole the personal information of over 100 million people, including names, dates-of-birth, and social security numbers.

The defense portrayed Thompson as an ethical hacker seeking to notify companies of vulnerabilities before bad actors could exploit them. The U.S. Department of Justice argued otherwise, noting that Thompson failed to notify the companies she breached, bragged about the incident on hacker forums under the alias “erratic”, and profited from the breach by installing cryptomining software on many of the servers she hacked. As assistant U.S. attorney Andrew Friedman put it in his closing arguments, “She wanted data, she wanted money, and she wanted to brag.”

After ten hours of deliberation, a Seattle jury found Thompson guilty of wire fraud, as well as five counts of unauthorized access to a protected computer and damaging a protected computer. They found her not guilty of access device fraud and aggravated identity theft. Thompson could face up to 45 years in prison.

Not that Capital One got off easy. Finding their security practices lacking, the Office of the Comptroller of Currency fined Capital One for $80 million, and the company paid out an additional $190 million settlement in a class action lawsuit.

May 2022: 23 Million Files Exposed in Pegasus Airlines Breach

In May 2022, a security firm discovered an unprotected AWS S3 bucket containing 6.5 terabytes of “Electronic Flight Bag” information, including navigation information, proprietary software, and personal information pertaining to Pegasus Airlines crew members. Once notified of the exposed information, Pegasus Airlines promptly secured the unprotected S3 bucket.

December 2021: FlexBooker Breached, Compromising 3 Million Users

In December 2021, a hacker group identified as “Uawrongteam” broke into FlexBooker, an online booking platform, and made off with data on roughly three million users. After looting the data, they posted it for sale on various hacker forums.

The stolen data included drivers’ licenses and other personally identifying information, as well as password data. The data was apparently accessed by exploiting FlexBooker’s Amazon Web Services configuration.

August 2021: SeniorAdvisor Exposes Personal Data for Over 3 Million Senior Citizens

In August 2021, ethical hackers at WizCase discovered the website SeniorAdvisor had left millions of personal records exposed due to an improperly configured Amazon S3 bucket. These records included names, emails, and phone numbers.

These records come from a list of leads SeniorAdvisor had contacted for sales purposes: as such, they were not limited to customers, but include people who had never done any business with SeniorAdvisor.

July 2021: PeopleGIS Exposes Sensitive Data for Over 80 Municipalities

In July 2021, a group of ethical hackers at WizCase discovered a vulnerability affecting at least 80 municipalities in the United States. This breach resulted from misconfigured Amazon S3 buckets related to MapsOnline, a service run by the software company PeopleGIS. It’s unclear whether the misconfiguration was made by PeopleGIS or by the municipalities in question.

Over a terabyte of data across 1.6 million files was exposed. These files include sensitive personal data of city residents, as well as building plans, city plans, and other information relating to local properties.

June 2021: Turkish Retailer Cosmolog Kozmetik Exposes Customer Records

In June 2021, ethical hackers at WizCase discovered a cache of 9500 customer records left exposed due to an improperly configured S3 bucket. This data included order information, including customers’ names, emails, and physical addresses.

Because Cosmolog Kozmetik operates multiple websites, exposure was not limited to their main site alone: it also included records from sites such as Unishop, Trendyol, and Hepsiburada.

March 2021: Covid Testing Sites Leave Personal Data Exposed

In March 2021, privacy watchdog Comparitech found that Premier Diagnostics, a Utah-based covid testing company, had exposed customers’ personal data via improperly configured Amazon S3 buckets. Over 50,000 customers personal information was exposed, including images of drivers licenses, passports, and medical insurance cards.

February 2021: LogicGate Breach

On February 23, 2021, the risk and compliance startup LogicGate was breached by an unauthorized person. It’s unclear how many people were affected. LogicGate reported the breach in April, 2021.

November 2020: Prestige Software Exposes Hotel Reservation Information

In November 2020, the security team at Website Planet discovered that the company Prestige Software had exposed over 10 million records related to it Cloud Hospitality platform, which powers availability information for hotel booking websites. This information, which included customers’ names and credit card numbers, was exposed due to a misconfigured Amazon S3 bucket.

July 2020: Hackers Inject Code into Twilio Software

In July 2020, it came to light that cloud communications Twilio had been hacked due to an exposed Amazon S3 bucket. The hackers injected code that caused web browsers to load a separate URL linked to Magecart attacks. Though customers don’t typically interact with Twilio directly, their customers include companies such as Netflix, Uber, and Shopify.

Most AWS breaches involve data that has been directly exposed to potential bad actors. In this case, hackers were able to not only read the software in question, but modified its code to aid in future cyberattacks.

February 2020: Millions of Shoppers Data Exposed

A large, unsecured AWS database was discovered in February 2020 that held sensitive data on millions of European shoppers, including records from Amazon, PayPal, eBay, Shopify, and Stripe. Along with names, addresses, emails, and phone numbers, records included payment histories, order histories, invoice links, and partial credit card numbers.

There were also other kinds of data in the database. For example, an Amazon Marketplace Web Services (MWS) authentication token was in the mix, as well as an AWS access key ID and some MWS queries.

It appears that the database belonged to a company that was conducting a value-added tax (VAT) analysis. This company has not been identified by media reports. Not only was the core incident concerning, but it also showcased how much data can end up in the hands of third parties, often without the shopper’s knowledge.

December 2019: Cannabis Retail Software THSuite Exposes Data on Over 30,000 Customers

In January 2020, a research team at vpnMentor discovered that over 30,000 customers’ information had been exposed on THSuite, a software company that provides services to cannabis retailers. This data included transaction information as well as sensitive records including photos of drivers’ licenses. It was exposed due to an improperly configured Amazon S3 bucket.

July 2019: Capital One Breach Exposes Over 100 Million Customers

Capital One: an AWS customer: revealed in July 2019 that its server was hacked by a former Amazon employee. In total, over 100 million customers were impacted, exposing sensitive personal information like Social Security Numbers, bank account numbers, credit card transaction records, credit scores, and more.

The person behind the hack was reportedly a woman who previously worked as an AWS systems engineer. Capital One blamed a “firewall misconfiguration” for the breach. Amazon denied any responsibility, stating that their systems weren’t at fault.

Still, the incident put an uncomfortable spotlight on AWS, and not all were convinced that the tech giant was free from all responsibility.

May 2019: Chtrbox Exposes 49 Million Instagram Records

In May 2019, an exposed database of personal information and account data was discovered belonging to the company Chtrbox, a third-party Instagram client. This data, which included email addresses and phone numbers, was left exposed due to an improperly configured AWS server.

You can read more in our full timeline of Instagram data breaches.

June 2017: Deep Root Analytics Breach Exposes Personal Data on 198 Million Voters

Deep Root Analytics: a data analytics firm that the Republican National Committee hired to gather information on American voters: left an S3 bucket containing records on approximately 198 million American voters unsecured. Along with personal information like names, addresses, birth dates, and phone numbers, the server also held voter profiling data, such as party affiliation.

The information was on an Amazon server but was not password protected. It was left accessible to the public for around two weeks, though it isn’t clear whether the data was stolen by a malicious actor.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.