Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloud-Based Repository Leak Exposes 123 Million American Households (zdnet.com)

Posted by BeauHD on from the here-we-go-again dept.

"An Amazon Web Services (AWS) S3 cloud storage bucket containing information from data analytics firm Alteryx has been found publicly exposed, comprising the personal information of 123 million U.S. households," reports ZDNet. "The S3 bucked, located at the subdomain 'alteryxdownload,' was found by California cybersecurity firm UpGuard, with its Cyber Risk Team discovering the leak on October 6, 2017." From the report: The 36 GB data file titled "ConsumerView_10_2013" contained over 123 million rows, each one signifying a different American household. A similar file was seen by UpGuard when the personal details of 198 million American voters, compiled in a dataset by a data firm used by the Republican National Committee, were exposed. To highlight the breadth of the issue, UpGuard said the exposed data reveals over 3.5 billion fields of personally identifying details and data points about virtually every American household, including racial and ethnic information. The spreadsheet uses anonymized identifiers, but the information in the other few billion fields are very detailed, UpGuard said. Home addresses, contact information, mortgage status, financial histories, and very specific analysis of purchasing behavior -- such as domestic travel habits, if someone is a cat enthusiast, and their sporting interests -- is up for grabs in the exposed data. As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."

62 comments

  1. WTF is Alteryx? by Anonymous Coward · · Score: 1

    And why do they have so much data on everyone?

    1. Re: WTF is Alteryx? by Anonymous Coward · · Score: 1

      Alteryx is the next Cloud Enabled Self Service ETL tool du jour that a lot of companies are latching on to this year to do Big Data (tm) stuff. Gartman Magic Quadrant blah blah blah. So basically the same thing you can do in any number of other tools, except you drag little icons around.

    2. Re: WTF is Alteryx? by Anonymous Coward · · Score: 0

      Alteryx is the next Cloud Enabled Self Service ETL tool du jour that a lot of companies are latching on to this year to do Big Data (tm) stuff. Gartman Magic Quadrant blah blah blah. So basically the same thing you can do in any number of other tools, except you drag little icons around.

      Fuck! Drag icons around? Where do I sign up for this new paradigm in vertical data markets?

    3. Re:WTF is Alteryx? by martyros · · Score: 2

      From the first paragraph of TFA:

      Exposed within the repository are massive data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, providing data sets from both Experian and the 2010 US Census.

      So Alteryx got data from a credit bureau and screwed it up. This should at least open them up to a massive lawsuit from Experian for breach of contract.

      --

      TCP: Why the Internet is full of SYN.

    4. Re:WTF is Alteryx? by Anonymous Coward · · Score: 0

      Sounds like an Indian name to me; Indian programmers...
      They have no concept of privacy or ethical behaviour.

      CAP === 'commence'

  2. Put these fuckers out of business. by Anonymous Coward · · Score: 1

    And send the executives to prison for the rest of their lives.

    1. Re:Put these fuckers out of business. by Anonymous Coward · · Score: 0

      Not to prison. Tun them and their extended families over with road paving equipment, reverse, repeat, reverse, repeat

    2. Re:Put these fuckers out of business. by TheRaven64 · · Score: 1

      Better: make them do community service talking to banks and so on, on behalf of victims of identity fraud, fixing the fallout. Even 10 hours a week for the next year or two of doing that would be a very strong disincentive for other companies.

      --
      I am TheRaven on Soylent News
  3. The justice system should... by Anonymous Coward · · Score: 0

    ...put all of the executives to death by tossing them into a pit full of concentrated nitric acid.

    1. Re:The justice system should... by viperidaenz · · Score: 1

      So that so their gold fillings can be easily extracted?

  4. Capitalism will correct this by Anonymous Coward · · Score: 3, Funny

    Don't worry. The invisible hand of the free market will solve this. That is also the reason nobody is in this database who did not volunteer for it.

    1. Re: Capitalism will correct this by Anonymous Coward · · Score: 0

      There is no free market, otherwise bounties would be placed.

      Unethical either way, no? LOL

    2. Re:Capitalism will correct this by Solandri · · Score: 1

      Actually I think the appropriate aphorism here is, "Information wants to be free!" Except that won't be received as well by most of the people here (even though most of them actually believe it).

      The world starts making a lot more sense when you stop viewing it in black and white, and see that absolutes are exceedingly rare, and most sayings are only partially true depending on the situation - be it capitalism or freedom of information.

    3. Re:Capitalism will correct this by rtb61 · · Score: 1

      I think the real problem is, that much data and you can mine it to find all US agents operating abroad, all in the data patterns. The more information you have about all US citizens, the easier it is to find the ones who have chosen to work for three letter agencies and then find the identity shift, from citizen to spy overseas. Youch, much worse and much more dangerous than it seems, especially to the spy vs spy types, extremely problematic from that point of view, especially how much fucking around the US does overseas, how many spies they have in other countries, that identity change is not that hard to mine, given sufficient data and data mining intellect.

      --
      Chaos - everything, everywhere, everywhen
  5. Cloudy with a chance of rain. by Anonymous Coward · · Score: 1

    Apparently Amazon doesn't understand security. Their cloud leaks more than most.

    1. Re:Cloudy with a chance of rain. by leonbev · · Score: 1

      Amazon has been sending their customers warnings about misconfigured S3 buckets for awhile now. In order for something like this to happen, a customer would have ignored these warnings for the past 9 months.

      So, yeah, someone probably deserves to be fired over this.

    2. Re:Cloudy with a chance of rain. by CaptainDork · · Score: 1

      I've seen this happen.

      Back when Moby Dick was a minnow, I set a firm up with AT&T DSL.

      I used their firm@firm.com email as the sysadmin contact and watched them change the password so I could not get in.

      Months later their Internet failed and I jumped through hoops with AT&T, learning that they had changed their name servers.

      They had been sending countdown emails, but no one at the firm ever looked.

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:Cloudy with a chance of rain. by bignetbuy · · Score: 1

      This one isn't on Amazon. These rank amateurs at Alteryx didn't configure their shit properly. Morons don't understand how to protect their data then they poo-poo reports of the severity of the breach. They really don't know what the hell they are doing.

      This company needs to die.

    4. Re:Cloudy with a chance of rain. by bignetbuy · · Score: 1

      This is what I'm talking about:

      "Default security settings for S3 buckets usually allow only authorised users to access the contents; however, UpGuard reports the bucket was configured via permission settings to allow any AWS "Authenticated Users" to download its stored data."

      Alteryx or whatever the fuck their name is set moron permissions and exposed their sensitive data. Amazon can only do so much to engineer around pure stupidity.

    5. Re:Cloudy with a chance of rain. by mysidia · · Score: 1

      What kind of bullshit was going through the idiot's brain when he added Any Authenticated User permission to a S3 bucket that would be used internally by their application ?

      There are at least two people who should be fired..... the Employee who added that ridiculous permission, AND the manager who failed to have auditing in place for AWS permissions.

    6. Re: Cloudy with a chance of rain. by orlanz · · Score: 1

      You would be surprised how many people do not know or do not care to. I am talking about IT people, not Mom & Pop. The customer âoeJust wants it working!â Is the excuse. Other times people just do not want the authentication to be a factor in troubleshooting and forget to close access afterward.

      Many times, it is a bit of both. And the amount these people get paid (75k+), they should be fired for negligence. I once had to tell a client that they left their Sharepoint with sensitive data open to everyone in the world! They thought âoeeveryoneâ was just their one small office worth of sales people. This is an office with 2-3 IT people supporting it. And then they wondered why the company took the servers to the data center. But those 3 people still work at that office!

    7. Re:Cloudy with a chance of rain. by Anonymous Coward · · Score: 0

      This isn't Amazon's problem. It is people who configure S3 buckets explicitly as public. This is a setting that someone has to reach for and consciously set, not a default.

      The equivalent would be blaming Microsoft or RedHat because their OS allowed someone to make a webserver that they actively copied sensitive data on for all and sundry to fetch.

      The ironic thing, if this data were a bunch of MP3 files or movies, there would be already motions of discovery filed by the *AA organizations.

    8. Re: Cloudy with a chance of rain. by angulion · · Score: 1

      I do not think this is AWS fault in any way, I do however think there are problems. You have a company that has one or many VPC and employees are being told the "we have an extended LAN there", EC2 "public" follows these rules (confusing that you open port access with a warning to anyone being VPC) while an S3 bucket does not (so same warning, this time it is the world).

  6. Oh Noes! by Shogun37 · · Score: 4, Insightful

    The cloud is insecure! Who would have thought? A locally controlled cloud, or a contract that has incentives for the owners NOT to be pants on head, window licking morons, can be a good thing. However, most clouds (as far as I have seen) are about a secure as a screen door on a submarine. And as long as the owner of the cloud keeps making money, and writing contracts that absolve them of all responsibility, this will keep happening.

    1. Re:Oh Noes! by Anonymous Coward · · Score: 0

      I didn't sign any contract with this company. If my information is in there, I'm suing them and I'm naming Amazon and Trump as co-defendents.

    2. Re: Oh Noes! by Anonymous Coward · · Score: 0

      Unsecure. If the cloud was self conscious about its weight then it would be insecure.

    3. Re:Oh Noes! by Anonymous Coward · · Score: 0

      Wow, speaking of window licking morons. You get right on that, kid. I'll pop the popcorn.

    4. Re: Oh Noes! by Anonymous Coward · · Score: 0

      S3 has a bucket scanner which informs you that your bucket is world readable. People willfully ignored the notices likely because they couldn't get with working.

    5. Re: Oh Noes! by viperidaenz · · Score: 1

      It was only readable to people with an AWS account.

    6. Re: Oh Noes! by Anonymous Coward · · Score: 0

      Which anyone can easily get.

    7. Re: Oh Noes! by Anonymous Coward · · Score: 0

      The "public" warning tag is relatively new.

    8. Re: Oh Noes! by Shogun37 · · Score: 1

      Yep...just noticed that. Thanks.

  7. Now you're questioning by rmdingler · · Score: 1

    As for how this happened, ZDNet says, "the bucket was configured via permission settings to allow any AWS 'Authenticated Users' to download its stored data. Authenticated users are any user that has an AWS account."

    Hey, we had security protocols; that you find them inadequate, well, maybe that's a you problem.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  8. So, we're just going to keep doing this I guess? by revmoo · · Score: 1

    So, we're just going to keep doing this I guess?

    --
    I would expect such blatant racism on Fark, but on Slashdot? Mods please ban this asshole.
  9. And in other Surprising News... by 14erCleaner · · Score: 1

    A private data analysis firm has detailed information on every American household.

    --
    Have you read my blog lately?
  10. WTF! by Dutchmaan · · Score: 0

    Just how many more stories about GOP connected entities just haphazardly leaving tons upon tons of VOTER data on publicly available (or for foreign powers to use) do we need to see before we start taking action!

    1. Re:WTF! by sconeu · · Score: 0

      The entities aren't associated with Hilary Clinton, so an infinite number?

      --
      General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
  11. Nuh-Uh! by Ol+Olsoc · · Score: 1

    The I've been assured that the cloud is completely secure by many random people on Slashdot.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  12. "including racial and ethnic information" by Anonymous Coward · · Score: 0

    Eh? Why is this what they pick to mention?

    1. Re:"including racial and ethnic information" by viperidaenz · · Score: 1

      Because now people can find all the jews/muslims/blacks/whites/mexicans/etc for their hate crime victims.

    2. Re: "including racial and ethnic information" by Anonymous Coward · · Score: 0

      Oh look! There's that dick from high school who made my life a living hell....

  13. Re:So, we're just going to keep doing this I guess by Anonymous Coward · · Score: 0

    So... we're just going to keep doing this I guess?

  14. Why people didn't learn the fact that Cloud is ... by Anonymous Coward · · Score: 0

    (subject too long; "... is insecure?")

    AWS leak, Cloud Offline, Google Chromebook incident, Cloudflare's Cloudbleed, etc etc.

    Stop using Cloud and install WAF. Use ISP's packet throttle system to reduce DDoS damage. You can do it without cloud.

    https://addons.mozilla.org/en-...

  15. Welcome to the cloud... by Anonymous Coward · · Score: 1

    No matter how secure the communications between the app on your phone and the cloud service...no matter how secure the passwords or TFA methods are to prohibit unauthorized access...no matter how many guards and locks they put on the server room...if the administrator runs a full backup and throws it into an insecure Amazon S3 bucket (or some other cloud provider's bucket)...or copies it onto a portable drive and leaves the drive on his front seat while he runs into the store...or he is tempted by an offer from some hacker web site...or... then 'All your data belong to us!'

    1. Re: Welcome to the cloud... by Anonymous Coward · · Score: 0

      Makes a full backup and intentionally copied it into a world readable bucket and likely was warned about it too. This is simple incompetence.

  16. Cloud computing... by viperidaenz · · Score: 1

    Now instead of a mistake causing a server to be open to your intranet, it's now exposed to the entire internet on a platform constantly scanned for unsecured servers.

  17. Standard Question by Anonymous Coward · · Score: 1

    Where is the data so I can check and see what they leaked about me?

    1. Re:Standard Question by Anonymous Coward · · Score: 0

      I don't trust this as a mistake-proof way of knowing if your data has been compromised, but if it involves a username or email address, it will catch some breaches. If it's data gathered from you that isn't associated with a username or email address, then it probably won't be in their findings. And who is to say that they can get hold of every compromised list? But it's a start.

      https://haveibeenpwned.com/

  18. Relevant Server Fault question: by Anonymous Coward · · Score: 0

    Why does AWS recommend against public S3 buckets?

  19. any AWS "Authenticated Users is all AWS and not by Joe_Dragon · · Score: 1

    any AWS "Authenticated Users is all AWS and not just all in your group??

    It's like windows ad where you think it's just any AD user on your domain or local system but is really any windows user on the web.

  20. Level1 Techs on Youtube by Anonymous Coward · · Score: 0

    Good folks (viewer) and they help make the bucket problem visible. Technical on how to do something is fine. Get dumb with what you do with it without forethought is remarkable these days.

  21. For those wondering by Solandri · · Score: 3, Informative

    123 million households is pretty much everyone in the U.S..

    1. Re:For those wondering by sn0wflake · · Score: 1

      The 2013 number on that website is 122.46, and 2014 it's 123.23. I guess that the "ConsumerView_10_2013" name refers to October, so with 123 million rows I think it's safe to say that it includes ALL households.

  22. clap your hands by houghi · · Score: 1

    If data about you has been compromised, clap your hands.

    But it is good to know these companies will pay a hefty fine, right? Right? Guys?

    --
    Don't fight for your country, if your country does not fight for you.
  23. US Census Bureau by Anonymous Coward · · Score: 1

    Thanks for keeping your oath, US Census Bureau.

    From: https://census.gov/programs-surveys/acs/about/is-my-privacy-protected.html

    The Census Bureau is legally bound to strict confidentiality requirements. Individual records are not shared with anyone, including federal agencies and law enforcement entities. By law, the Census Bureau cannot share respondents' answers with anyone, -- not the IRS, not the FBI, not the CIA, and not with any other government agency.

    All Census Bureau employees take an oath of nondisclosure and are sworn for life to protect all information that could identify individuals. Disclosing ANY information that could identify you or your family means 5 years in prison, or $250,000 in fines, or both.

    From: https://www.census.gov/privacy/

    We are committed to handling your information responsibly. Your information is kept confidential. This commitment applies to the individuals, households, and businesses that answer our surveys, and to those browsing our website.

    This reminds me of when the U.S. Census Bureau gave up information leading to the detainment of Japanese Americans.

    Somebody should be going to prison if these allegations prove to be true.

    1. Re:US Census Bureau by Anonymous Coward · · Score: 0

      Just because it's a lot of data that also is collected by the Census Bureau doesn't mean that the data came from the Census Bureau. For all we know, a lot of the data is "guessed at" and inaccurate and comes from surveys and shopping behavior.

    2. Re:US Census Bureau by wyHunter · · Score: 1

      Gee, and left wingers wonder why we right wingers are suspicious of government and dont' want to give any data out. BTW the Germans did this with religious data as well during WWII.

    3. Re: US Census Bureau by Anonymous Coward · · Score: 0

      Gee and the rest of the world wonders when you get a true democracy instead of a two party plutocracy.

  24. IOW by Anonymous Coward · · Score: 0

    The latest US Census data.

  25. Where can I get a copy? by ElizabethGreene · · Score: 2

    Where can I get a copy?

    I'd like to see how well de-identified it is.

  26. Pretty much ALL US households by Anonymous Coward · · Score: 0

    That is pretty much all households in the USA, according to this there are 125.82 million households in your country.

    https://www.statista.com/statistics/183635/number-of-households-in-the-us/

  27. Re: any AWS "Authenticated Users is all AWS and no by angulion · · Score: 1

    Many organizations have VPCs and any average person might think a setting of public means it is public within that context, not to the entire net. Am I wrong here or is a S3 bucket made public not to the world but to VPC. I tend to be careful, but cloud vendors really could improve this by making anything visible only to company VPC unless special effort is shown. I however do not think that this is an AWS fault in any way.
    Anyone responsible would test this before dumping a DB there.