Another batch of data was published online. This time, VPN Mentor ’s IT security researchers have identified the personal details of millions of unsuspecting users across North America.
The vulnerability is due to the misconfiguration of Amazon Web Services (AWS) S3 without any security authentication results. In short: anyone with simple knowledge of identifying public databases can access the data.
According to VPNMentor ’s research team, the database belongs to the Austin-based company “Key Ring”. The digital wallet allows users to upload and store digital copies of their documents, including credit cards, ID cards, passports, and driver ’s licenses Gift cards, etc.
The company has more than 14 million customers whose privacy and security have been threatened. VPN Mentor revealed in the blog that the digital wallet exposes five S3 buckets, which contain highly sensitive information, including a copy of the credit card data, including its number, expiration date, and CVV number.
1: Credit card 2: NRA membership card 3: Government ID card. (Image via vpnMentor)
In addition, personally identifiable information (PII) is also part of the leaked data, including social security numbers, government ID cards, and medical insurance cards, NRA membership cards, gift cards, membership cards, retail club membership cards.
The total number of leaked images is as high as 44 million. However, it does not end here. In fact, the database continues to disclose the full name, email address, date of birth, postal code and the location of Key Ring customers. In addition, IP addresses, encrypted passwords and home addresses are also exposed.
All these contents are in plain text format. The company does not provide services to European users, so it will not be hit by huge GDPR fines, but will bring a heavy blow to North American customers.
Although it is unclear whether a third party has accessed the database for malicious purposes, it will expose customers to actual blackmail and identity theft fraud. In addition, since all credit card numbers are provided in plain text, hackers can also empty their bank accounts and commit tax fraud.
- If a malicious hacker discovers these buckets, the impact on Key Ring users (and the company itself) will be huge. In fact, we cannot be sure that no one else found these S3 buckets and downloaded the content before notifying Key Ring.
- If this happens, the protection of deleting only the public data may not be enough. The VPN Mentor team warned that hackers can still access all data stored locally, offline and completely untraceable.
However, this is not the first time that a misconfigured S3 bucket has disclosed such a large amount of data. A few days ago, a cloud storage provider disclosed the data of millions of customers in plain text. In another incident, a misconfigured S3 bucket exposed the US military ’s social media espionage to the public.