TechCrunch has reported that Rallyhood, the social network designed to help groups communicate and coordinate, left one of its cloud storage buckets containing user data open and exposed. The bucket, hosted on Amazon Web Services (AWS), was not protected with a password, allowing anyone who knew the easily-guessable web address access to a decade’s worth of user files.
Leaving an AWS S3 storage bucket open to the public is essentially the same as leaving a database open on the Internet. Organizations should put in place basic protections for databases of sensitive data, and they need to do the same with data stored on AWS. Criminals have now had years to develop tools to find these open repositories of monetisable data, so the likelihood of real damage exists now more than ever. Start by understanding where your data is, then by making sure those systems are configured to protect it. Monitor those configurations for change to ensure the data isn’t exposed in the future.