SHARED INTEL: Ramifications of 86 cities storing citizens’ data in misconfigured AWS S3 buckets

The ethical hackers at WizCase recently disclosed another stunning example of sensitive consumer data left out in the open in the public cloud —  for one and all to access.

Related: How stolen data gets leveraged in full-stack attacks

AWS Builder Community Hub

This latest high-profile example of security sloppiness was uncovered by a team of white hat hackers led by Ata Hakçil. They found personal documents, collected by over 80 US municipalities, sitting in Amazon Web Services S3 storage buckets left wide open in the public cloud.

This included citizens’ physical addresses, phone numbers, drivers’ licenses, tax documents, and more.  There was no need for a password or login credentials to access this information, and the data was not encrypted.

The WizCase team traced this exposure  back to a cloud-delivered information management tool —, supplied by Woburn, Mass.-based PeopleGIS.  WizCase reached out to PeopleGIS and the S3 buckets in question have since been secured.

Some 114 Amazon S3 storage buckets used a common naming pattern associated with  PeopleGIS; of those 28 appeared to be properly configured, and were not accessible without proper credentials; but 86 were accessible without any password nor encryption. The WizCase team outlined three ways this could have happened:

•PeopleGIS created and handed over the buckets to their city customers, and some of them made sure these were properly configured

•The buckets were created and configured by different employees at PeopleGIS, and there were no clear guidelines regarding the configuration of these buckets

•The cities created the buckets themselves, with PeopleGIS guidelines about the naming format, but without any guidelines regarding the configuration, which would explain the difference between the municipalities whose employees knew about it or not.

This is all very helpful intelligence, commendably shared by WizCase. Last Watchdog went a bit deeper with Hakçil:

LW: Please clarify: were these municipalities only in the states of MA, CN and NH?

Hakçil: Most of the buckets of cities we found were MA, CN and NH but there were also a few from RI, PA and OH.

LW: How discoverable were these particular S3 buckets?


Hakçil: We have built a scanner that scans the web for such vulnerabilities. Finding something like this is comparable to searching a needle in a haystack, there are countless examples of such misconfigurations with sensitive data, buried under an even larger amount of misconfigured S3 buckets with non-sensitive data.

It’s actually pretty random; when we discover a misconfigured bucket, we can never know who it belongs to and what it contains until we analyze them. We happened to find two of them that were also spotted by other online publicly available tools, and the rest of the list had a similar naming convention so we understood they were all related pretty quickly.

LW: Can you characterize how much effort it would’ve taken a bad actor to make this same discovery — and take advantage?

Hakçil: Finding these involves luck and knowledge. While finding the tip of the iceberg is heavily reliant on luck, uncovering the rest of the data is reliant on determination. As mentioned above, two of the buckets were discovered by other search engines – people with access to these (and there are a lot) could easily find the buckets. Taking advantage of it doesn’t require much effort – there are ways to just download the whole storage, or even write over it. Then the uses of these files are various, as explained in the report.

LW: Is it safe to assume that much or all of the exposed  data is in the hands of one or more bad actors, at this point?

Hakçil: There is no way for us to know if it has been discovered by bad actors. Only the owners (PeopleGIS and the affected municipalities) could know.

LW: How long were these S3 buckets likely to have been sitting on the Internet, accessible to anyone with the keyboard skills to find and copy the data?

Hakçil: So far we’ve seen many of these misconfigurations were done when creating the buckets, and not somewhere along the way so I believe it is safe to assume something similar might have happened here. We’ve seen some of the buckets were accessible and got archived as back as 2016.

Additionally, some files are dated from 2010 so it might be that it was misconfigured (and thus accessible) since then, but there is no certain way for us to know also it might have been that only a few files were in the buckets back then and more recently more were uploaded.

LW: Based on past data exposure discoveries of this type, what do you expect the impact to be?

Hakçil: First, we should not forget that there is no proof the data has been accessed by any bad actor. Then, if it has indeed been accessed and exploited, it’s probable that most of the data would be sold on the DarkWeb to people looking for such details to help provide fake identities, phishing scams or else. Note – as it is probable that the bucket was misconfigured for a few years already, IF FOUND by bad actors before it was secured, it is likely that the data has already been exploited..

LW: Is this an anomaly or the tip of the iceberg? Local governments are notoriously behind; is this just a local government problem? What about SMBs and large enterprises?

Hakçil: It is definitely the tip of the iceberg. It is not only local governments, it’s SMBs and large enterprises too, like you can see in previous reports we’ve shared. I believe that bucket misconfiguration is, for the big majority of the cases, an old issue.

When configuring a S3 bucket today, Amazon is clearly warning you about the dangers of leaving it publicly accessible, and you’re being reminded of the status of your bucket during the whole process. So most misconfigured buckets are “old” issues and probably due to a lack of knowledge of the impacts of such a vulnerability in the past.

We invite anyone who owns a storage (or even server) to make sure that the access rules are properly set and that these aren’t publicly accessible. It’s a small check that could help both business owners’ and their customers’ online safety.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: