This article is more than 1 year old
Aw, not you too, Verizon: US telco joins list of leaky AWS S3 buckets
Now is a good time to go check your own Amazon settings. It's OK, we'll wait
Yet another major company has burned itself by failing to properly secure its cloud storage instances. Yes, it's Verizon.
Researchers with Kromtech Security say they were able to access an AWS S3 storage bucket that contained data used by the US telco giant's billing system and the Distributed Vision Service (DVS) software that powers it.
"DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data," Kromtech revealed today.
"Although no customers data are involved in this data leak, we were able to see files and data named 'VZ Confidential' and 'Verizon Confidential', some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure."
The researchers also say they were able to retrieve a number of Outlook messages, router host information, and "B2B payment server names and info."
The insecure instance, which had been configured to allow anyone on the internet to access, was closed after Kromtech reported the issue to Verizon.
As with previous S3 misconfigurations, this one seems to be down to human error, rather than any technical failings on the part of Verizon or AWS: we're told it was rather the result of someone forgetting to disable public access.
"Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st," said the Kromtech team.
"Shortly after that, online archive has been took down and it has been later confirmed that the bucket was self-owned by Verizon Wireless engineer and it did not belong or managed by Verizon."
Verizon did not return a request for comment on the report.
This is not the first biz Kromtech researchers have spotted keeping confidential data in an insecure storage bucket. In recent months, the company has spotted vulnerable bins run by the likes of Time Warner Cable, and hotel booking company Bookzie. ®