A security company in the US has discovered thousands of publicly accessible files on Amazon's S3 cloud storage service, many of which contain sensitive information.
Rapid7 discovered the files by searching for storage 'buckets' – logical pool of storage capacity – whose access setting has been changed to 'public', from the default setting of 'private'.
This means that a list of the contents of the bucket can be seen to anyone that knows or guesses the URL.
The company successfully guessed the URL of 12,328 buckets on the S3 service, by inserting the names of Fortune 500 companies into the standard URL format for S3.
Of those, 1,951 of which were set to 'public'. These buckets contained a combined 126 billion files, so Rapid7 analysed a cross section of 40,000 files.
These files were found to contain such sensitive information as sales records, employee personal information, unencrypted passwords and the source code for a video game.
"Much of the data could be used to stage a network attack, compromise users accounts, or to sell on the black market," Rapid7 wrote in a blog post.
Rapid7 advises companies to check whether their S3 buckets are set to public. "If so, think about what you're keeping in that [those] buckets and whether you really want it exposed to the internet and anyone curious to take a look."
As Rapid 7 points out, not only does Amazon set the S3 buckets to private by default, it also provides a walkthrough guide to keeping data stored on the service secure.
The research reveals that lax security practices companies may get away with on their own IT infrastructure are highly dangerous when data is stored on the cloud.