Accenture confirmed that a large bank of private data was left exposed on unsecured cloud servers.
Cybersecurity firm UpGuard yesterday (11 October) revealed that Accenture left at least four cloud-based storage servers unsecured and publicly downloadable.
Various types of personal data were left unsecured, including authentication credentials, certificates, decryption keys and customer information.
Chris Vickery, director of cyber-risk research at UpGuard, made the discovery of four Amazon Web Services (AWS) S3 storage buckets configured for public access on 17 September.
The contents of the buckets were downloadable to anybody who entered their web addresses into their internet browser. Research from UpGuard found that the buckets contained important internal company information, including cloud platform logins and configurations. The servers were secured the day after Vickery made Accenture aware of the exposed data.
Many passwords were left unsecured
While many of the passwords were hashed (transformed into an alphanumeric string), there were still 40,000 plaintext passwords present in one of the database backups. Access keys for a cloud infrastructure management platform called Enstratus were also present, potentially leaking data of other tools coordinated by Enstratus.
UpGuard’s report said: “Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”
Vickery told ZDNet that he also found the master keys for Accenture’s AWS Key Management System, which, if stolen, could give an attacker full control over the company’s encrypted data on Amazon servers.
A spokesperson for Accenture said: “We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review, we may learn more but the email and password information in the database is more than two-and-a-half years old and, for Accenture users, of a decommissioned system.”
Accenture also maintains that nobody else had accessed the servers or retrieved any classified information. With recent hacks of large companies filling news feeds around the world, corporations need to be mindful of low-hanging fruit that could be easily exploited by cyber-criminals.