This morning brought news of yet another corporate data leak—this time hitting a major retailer. Misconfigured S3 buckets, public access settings. At this point, I'm not even surprised, just exhausted.
What happened?
Preliminary reports indicate exposed data included:
- Customer PII (names, emails, phone numbers)
- Password hashes (salted, thankfully)
- Three months of order history
- Access control verification — all buckets private by default
- Configuration monitoring — AWS Config Rules or equivalent
- Quarterly audits — minimum frequency
- Data inventory — you can't protect what you don't know exists
- Immediately revoke access
- Launch forensics to assess scope
- Prepare regulatory notifications
- Update IAM policies (reaffirm least privilege)
P.S. If you're not automatically scanning for public S3 buckets yet—implement that today.
What's especially frustrating is when this happens at companies with dedicated security teams. How are public S3 buckets still slipping through in 2024?
Incident response steps
From recent incident response experience:
- Configuration monitoring — AWS Config Rules or equivalent
The data sat in an S3 bucket with public-read permissions. Someone discovered it via GrayhatWarfare and raised the alarm.
Prevention checklist
After every such incident, I update my cloud storage audit checklist:
- Access control verification — all buckets private by default