This article is more than 1 year old
Et tu Accenture? Then fall S3er: Consultancy giant leaks private keys, emails and more online
AWS config blunder spills secrets all over the internet
Updated Yet another organization has been caught exposing sensitive data to the public internet: this time it is Accenture – consultants to the great and the good – with a misconfigured AWS S3 bucket leaking access keys and other private documents.
On September 17, veteran cloud watchdog Chris Vickery at security shop Upguard found four AWS S3 storage buckets open to the public. The repositories, labelled “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl,” contained hundreds of gigabytes of files belonging to Accenture – from internal emails to login credentials stored in plaintext – and were set up by a user called awsacp0175, it is claimed.
All the data was accessible to anyone stumbling across the online silos, apparently.
One exposed bucket contained what looked like cryptographic keys and credentials for accessing internal Accenture systems. There was also a section labeled – ironically, as it turns out – “Secure Store” which held a plaintext file of the master access key for Accenture’s account with AWS' Key Management Service, used to encrypt and decrypt data in the cloud, according to Upguard.
Also in that archive were a number of client.jks key stores which, while encrypted, had what appeared to be the passwords to unlock them written down in files next to them in plaintext. The trove also appeared to contain Accenture clients' private signing keys.
Viacom exposes crown jewels to world+dog in AWS S3 bucket blunderREAD MORE
Acpcollector, we're told, contained information on how to get into and maintain Accenture's various cloud-hosted systems, including VPN keys to dive into Accenture’s private production network, potentially allowing miscreants into the business's most crucial computers.
The acp-software, meanwhile, is a doozy: 137GB of sensitive material including nearly 40,000 plaintext passwords, access keys for Enstratus – a third-party cloud infrastructure management platform – and dossiers on Accenture’s ASGARD threat detection database, it is claimed.
It also held Accenture's internal company emails that could have contained highly confidential documents, an event tracking system that monitored stuff like new users being added, and records of IP addresses and JSession IDs, including some used by the consultancy's clients plus internal details on Accenture’s Google and Azure accounts, according to Upguard.
Meanwhile, acp-ssl held what looked like private keys to Accenture's cloud services, including its Cloud File Store Key. SSL certificates were also in there, we're told. The Upguard team claimed these could be used to subvert and spy on intercepted communications between the consultancy and its clients.
Aw, not you too, Verizon: US telco joins list of leaky AWS S3 bucketsREAD MORE
"Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage," Upguard's Dan O'Sullivan said in an advisory on Tuesday.
"It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients."
Accenture had no comment at time of going to press. ®
Updated to add
A spokesperson from Accenture has now been in touch in an attempt to downplay the cockup:
There was no risk to any of our clients – no active credentials, PII or other sensitive information was compromised. We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.