Computer code
Multiple breaches over the past year have been caused by organisations leaving S3 buckets unprotected Markus Spiske/Unsplash

A massive trove of sensitive data was left freely exposed online by the Australian Broadcasting Corporation (ABC). Security experts found at least two unsecured cloud servers operated by the government-run entity, which contained sensitive information including thousands of users' emails, passwords and more.

According to security experts at Kromtech Security, who uncovered the data breach earlier in the week, the information publicly exposed also included data regarding stock files and production services.

This kind of sensitive information "should not have been publicly available online," Kromtech security researcher Bob Diachenko wrote in a blog.

"The publicly accessible Amazon S3 buckets were indexed by Censys (a public search engine that enables researchers to ask questions about the hosts and networks that compose the Internet) and identified during a regular security audit of misconfigured S3 environment on November 14<sup>th.

"It is unclear who else may have had access to ABC's data or content. A majority of what would be considered sensitive or identifiable data came from the daily backups of ABC Commercial's MySQL database," Diachenko added.

Multiple breaches over the past year have been caused by organisations leaving S3 buckets unprotected, which likely led to Amazon recently rolling out new S3 security and encryption features. However, Diachenko noted that the breach at ABC occurred just a week after Amazon rolled its new security features.

"The most unfortunate part is that the issue occurred due to human error and not a malicious attack. It seems like every few days there is yet another data breach, ransomware threat or a new security flaw and companies or organisations must do more to be proactive in how they store sensitive data online," the security researcher noted.

Here's a list of all the data exposed via ABC's daily backups of its MySQL database:-

  • Several thousands emails, logins, hashed passwords for ABC Commercial users to access the ABC content (these include users who are well known members of the media)
  • Requests for licensed content as sent by TV and media producers from all over the world to use ABC's content and pay royalties.
  • Secret access key and login details for another repository, with advance video content
  • 1,800 daily MySQL database backups from 2015 to present

He added that Kromtech, with the help of Australian security researcher Troy Hunt, alerted ABC and all the exposed S3 buckets were secured "within minutes".

An ABC confirmed to The Register that it was investigating the breach. The company said that it was notified about the breach on Thursday (16 November), two days after Kromtech uncovered the data leak.

"ABC technology teams moved to solve this issue as soon as they became aware," the firm told The Register.