Groupize denies report by researchers at Kromtech, but locks down repo anyway
Another day, another unsecured AWS storage bucket leaking corporate data, this time from hotel booking service Groupize.
The find was made by Kromtech Security Center researchers and is detailed at MacKeeper.
The find has sparked a spat between Kromtech and Groupize, with the latter denying that anything sensitive had leaked.
Au contraire, writes MacKeeper’s Bob Diachenko, claiming that before they were locked down on August 15 the exposed folders included nearly 3,000 documents detailing “contracts or agreements between hotels, customers and Groupize, including credit cards’ payment authorization forms, with full CC#, expiration date and CVV code”, a leads folder with more than 3,000 spreadsheets, and another folder with more than 32,000 “menus, images and more”.
Diachenko says Kromtech first notified Groupize on August 9.
The company told Kaspersky’s Threatpost it’s grateful for Kromtech shedding “light on a potential vulnerability”, and added that it’s been in touch with customers about the issue and “… steps we’ve taken to further secure our systems.”
The Register has contacted Groupize for comment.
AWS S3 leaks are becoming the flavour of 2017. Verizon leaked 14 million customer records, and other open buckets researchers have spotted include those belonging to Dow Jones, voting machine supplier ES&S (both found by former MacKeeper security bod Chris Vickery).
With white-hat-plus-dog Googling for “password AWS”, we expect plenty of others will emerge, even though the default configuration for new AWS storage is that it’s private.
Earlier this month, Amazon unveiled its “patrol bot” service Macie, which tries to identify and help shut down unsecured corporate data repositories. ®
[ Seen here first on Deep Security News ]