Amazon Web Services (AWS) vulnerabilities are among the most common attack vectors in recent years. Most often, these are due to improperly configured S3 buckets on the part of the business using AWS. When this vulnerability occurs, it doesn’t require anything more than the correct server address to access the data.
Amazon is not directly responsible for these breaches – but you can read about Amazon breaches here. Below we’ve listed several AWS-related breaches that have happened in recent years.
February 2021 – LogicGate Breach
On February 23, 2021, the risk and compliance startup LogicGate was breached by an unauthorized person. It’s unclear how many people were affected. LogicGate reported the breach in April, 2021.
February 2020 – Millions of Shoppers Data Exposed
A large, unsecured AWS database was discovered in February 2020 that held sensitive data on millions of European shoppers, including records from Amazon, PayPal, eBay, Shopify, and Stripe. Along with names, addresses, emails, and phone numbers, records included payment histories, order histories, invoice links, and partial credit card numbers.
There were also other kinds of data in the database. For example, an Amazon Marketplace Web Services (MWS) authentication token was in the mix, as well as an AWS access key ID and some MWS queries.
It appears that the database belonged to a company that was conducting a value-added tax (VAT) analysis. This company has not been identified by media reports. Not only was the core incident concerning, but it also showcased how much data can end up in the hands of third parties, often without the shopper’s knowledge.
July 2019 – Capital One Breach Exposes Over 100 Million Customers
Capital One – an AWS customer – revealed in July 2019 that its server was hacked by a former Amazon employee. In total, over 100 million customers were impacted, exposing sensitive personal information like Social Security Numbers, bank account numbers, credit card transaction records, credit scores, and more.
The person behind the hack was reportedly a woman who previously worked as an AWS systems engineer. Capital One blamed a “firewall misconfiguration” for the breach. Amazon denied any responsibility, stating that their systems weren’t at fault.
Still, the incident put an uncomfortable spotlight on AWS, and not all were convinced that the tech giant was free from all responsibility.
June 2017 – Deep Root Analytics Breach Exposes Personal Data on 198 Million Voters
Deep Root Analytics – a data analytics firm that the Republican National Committee hired to gather information on American voters – left an S3 bucket containing records on approximately 198 million American voters unsecured. Along with personal information like names, addresses, birth dates, and phone numbers, the server also held voter profiling data, such as party affiliation.
The information was on an Amazon server but was not password protected. It was left accessible to the public for around two weeks, though it isn’t clear whether the data was stolen by a malicious actor.