This article is more than 1 year old

What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet

Exposed: Intimate... personal details belonging to thousands of folks

A pair of misconfigured cloud-hosted file silos have left thousands of peoples' sensitive info sitting on the open internet.

Despite attempts by Amazon to encourage its customers to be more careful, there are plenty of IT administrators and developers who are still not getting it. The latest demonstration of this comes from eggheads at VPNmentor, who this week said they found two open AWS S3 buckets, one belonging to a UK consulting firm and another run by an adult webcam host.

The first leaky system was a poorly configured AWS S3 storage bucket linked to UK consulting firm CHS. It included passport scans, tax documents, background check paperwork, criminal records, and expense and benefit forms detailing several thousand business consultants working for CHS and other firms in Blighty from 2011 through 2015.

"Given the nature of the files contained within the database, the information exposed is still relevant and could be used in many ways," VPNmentor says.

"These documents contained a wide range of Personally Identifiable Information (PII) data for 1,000s of British residents and working professionals."

VPNmentor says the data silo was taken down in December after it alerted CERT-UK to the matter. CHS could not be reached, the researchers said.

Sex workers' secrets exposed

The second info trove the team uncovered puts the "exposure" in data exposure. That instance, also a misconfigured S3 bucket, contained nearly 20GB belonging to the subtly-named adult cam network PussyCash.

According to VPNmentor's crew, within that archive was 875,000 records containing the personal information of 4,000 of the site's saucy performers. These include scans of documents that prove the model's age, things like ID cards, birth certificates, and passport scans. Also included were performer release forms and profile information.


Jeff Bezos feels a tap on the shoulder. Ahem, Mr Amazon, care to explain how Capital One's AWS S3 buckets got hacked?


This is particularly bad given the sensitive nature of the work and the need to maintain the personal privacy and safety of the X-rated web stars. There is also the risk that, as the records from virtually every occupied part of the world, that LGBTQ+ performers in some areas could be at risk of persecution.

"There are at least 875,000 keys, which represent different file types, including videos, marketing materials, photographs, clips and screenshots of video chats, and zip files. Within each zip folder – and there is apparently one zip folder per model – there are often multiple additional files (e.g. photographs and scans of documents), and many additional items that we chose not to investigate," the VPNmentor team explained.

"The folders included could be up to 15-20 years old, but are also as recent as the last few weeks. Even for older files, given the nature of the data, it is still relevant and of equal impact as newly added files."

The database was taken offline on January 9, we're told. ®

More about


Send us news

Other stories you might like