Amazon Web Services (AWS) Data Breaches: Full Timeline Through 2022

The most recent known Amazon Web Services (AWS) breach happened in August 2021, when personal information pertaining to over 3 million senior citizens leaked via SeniorAdvisor.

As in most AWS breaches, this information was exposed due to improperly configured S3 buckets on the part of the business using AWS. This type of vulnerability has become one of the most common attack vectors in recent years, and you can read about some of the high profile AWS breaches below. So far we have not found any recorded AWS breaches in 2022.

Amazon is not directly responsible for these breaches, but you can read about Amazon data breaches here.

August 2021: SeniorAdvisor Exposes Personal Data for Over 3 Million Senior Citizens

In August 2021, ethical hackers at WizCase discovered the website SeniorAdvisor had left millions of personal records exposed due to an improperly configured Amazon S3 bucket. These records included names, emails, and phone numbers.

These records come from a list of leads SeniorAdvisor had contacted for sales purposes: as such, they were not limited to customers, but include people who had never done any business with SeniorAdvisor.

July 2021: PeopleGIS Exposes Sensitive Data for Over 80 Municipalities

In July 2021, a group of ethical hackers at WizCase discovered a vulnerability affecting at least 80 municipalities in the United States. This breach resulted from misconfigured Amazon S3 buckets related to MapsOnline, a service run by the software company PeopleGIS. It’s unclear whether the misconfiguration was made by PeopleGIS or by the municipalities in question.

Over a terabyte of data across 1.6 million files was exposed. These files include sensitive personal data of city residents, as well as building plans, city plans, and other information relating to local properties.

June 2021: Turkish Retailer Cosmolog Kozmetik Exposes Customer Records

In June 2021, ethical hackers at WizCase discovered a cache of 9500 customer records left exposed due to an improperly configured S3 bucket. This data included order information, including customers’ names, emails, and physical addresses.

Because Cosmolog Kozmetik operates multiple websites, exposure was not limited to their main site alone: it also included records from sites such as Unishop, Trendyol, and Hepsiburada.

March 2021: Covid Testing Sites Leave Personal Data Exposed

In March 2021, privacy watchdog Comparitech found that Premier Diagnostics, a Utah-based covid testing company, had exposed customers’ personal data via improperly configured Amazon S3 buckets. Over 50,000 customers personal information was exposed, including images of drivers licenses, passports, and medical insurance cards.

February 2021: LogicGate Breach

On February 23, 2021, the risk and compliance startup LogicGate was breached by an unauthorized person. It’s unclear how many people were affected. LogicGate reported the breach in April, 2021.

November 2020: Prestige Software Exposes Hotel Reservation Information

In November 2020, the security team at Website Planet discovered that the company Prestige Software had exposed over 10 million records related to it Cloud Hospitality platform, which powers availability information for hotel booking websites. This information, which included customers’ names and credit card numbers, was exposed due to a misconfigured Amazon S3 bucket.

July 2020: Hackers Inject Code into Twilio Software

In July 2020, it came to light that cloud communications Twilio had been hacked due to an exposed Amazon S3 bucket. The hackers injected code that caused web browsers to load a separate URL linked to Magecart attacks. Though customers don’t typically interact with Twilio directly, their customers include companies such as Netflix, Uber, and Shopify.

Most AWS breaches involve data that has been directly exposed to potential bad actors. In this case, hackers were able to not only read the software in question, but modified its code to aid in future cyberattacks.

February 2020: Millions of Shoppers Data Exposed

A large, unsecured AWS database was discovered in February 2020 that held sensitive data on millions of European shoppers, including records from Amazon, PayPal, eBay, Shopify, and Stripe. Along with names, addresses, emails, and phone numbers, records included payment histories, order histories, invoice links, and partial credit card numbers.

There were also other kinds of data in the database. For example, an Amazon Marketplace Web Services (MWS) authentication token was in the mix, as well as an AWS access key ID and some MWS queries.

It appears that the database belonged to a company that was conducting a value-added tax (VAT) analysis. This company has not been identified by media reports. Not only was the core incident concerning, but it also showcased how much data can end up in the hands of third parties, often without the shopper’s knowledge.

December 2019: Cannabis Retail Software THSuite Exposes Data on Over 30,000 Customers

In January 2020, a research team at vpnMentor discovered that over 30,000 customers’ information had been exposed on THSuite, a software company that provides services to cannabis retailers. This data included transaction information as well as sensitive records including photos of drivers’ licenses. It was exposed due to an improperly configured Amazon S3 bucket.

July 2019: Capital One Breach Exposes Over 100 Million Customers

Capital One: an AWS customer: revealed in July 2019 that its server was hacked by a former Amazon employee. In total, over 100 million customers were impacted, exposing sensitive personal information like Social Security Numbers, bank account numbers, credit card transaction records, credit scores, and more.

The person behind the hack was reportedly a woman who previously worked as an AWS systems engineer. Capital One blamed a “firewall misconfiguration” for the breach. Amazon denied any responsibility, stating that their systems weren’t at fault.

Still, the incident put an uncomfortable spotlight on AWS, and not all were convinced that the tech giant was free from all responsibility.

May 2019: Chtrbox Exposes 49 Million Instagram Records

In May 2019, an exposed database of personal information and account data was discovered belonging to the company Chtrbox, a third-party Instagram client. This data, which included email addresses and phone numbers, was left exposed due to an improperly configured AWS server.

You can read more in our full timeline of Instagram data breaches.

June 2017: Deep Root Analytics Breach Exposes Personal Data on 198 Million Voters

Deep Root Analytics: a data analytics firm that the Republican National Committee hired to gather information on American voters: left an S3 bucket containing records on approximately 198 million American voters unsecured. Along with personal information like names, addresses, birth dates, and phone numbers, the server also held voter profiling data, such as party affiliation.

The information was on an Amazon server but was not password protected. It was left accessible to the public for around two weeks, though it isn’t clear whether the data was stolen by a malicious actor.

Leave a Comment