Accenture Left AWS S3 Buckets Containing Cloud Credentials Open to Public
Accenture left four Amazon Web Services (AWS) S3 buckets open and downloadable to the public, containing software for its Accenture Cloud Platform enterprise cloud offering and other sensitive internal data, security researchers said today.
The unsecured AWS S3 buckets were discovered by UpGuard security researcher Chris Vickery on Sept. 17, 2017, and revealed “significant internal Accenture data, including cloud platform credentials and configurations.” Credentials for Accenture’s Google and Azure accounts also appeared to be stored in one of the buckets, which could have far-reaching consequences in the hands of a malicious actor.
The servers were secured the next day after UpGuard Director of Cyber Risk Research Vickery notified Accenture.
The company, which provides consulting and professional services, is not the first to have had unsecured AWS S3 buckets discovered by UpGuard. Earlier this year, Vickery notified Verizon, and election data firm Deep Root Analytics about AWS S3 buckets open to the public, exposing tens of millions of customer and voter records, respectively.
In a blog post on Tuesday, Vickery said that this exposure could have been prevented with a simple password requirement added to each bucket. His recommendation comes as a new survey by OneLogin finds that IT pros are failing to enforce password policies.
Accenture’s AWS S3 buckets contained internal access keys and credentials for use by the Identity API, plaintext passwords for decrypting files, private signing keys, databases including credentials for Accenture clients, and more.
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” Vickery said in a blog post. “It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”
More than half of organizations using cloud storage services like AWS S3 have inadvertently exposed one or more services to the public, recent research by cloud security company RedLock says.