A massive trove of sensitive corporate and customer data was left freely exposed to the public by Accenture, one of the world's biggest management firms. The tech giant left at least four cloud storage servers, which contained highly sensitive decryption keys and passwords, exposed to the public, without any password protections.
The data could have potentially been accessed by hackers, who then could have used the information to mount attacks on both Accenture and its clients.
The data leak was uncovered by Chris Vickery, director of cyber risk research at UpGuard, who privately notified Accenture about its cloud servers having been exposed in mid-September. The exposed servers, which were hosted on Amazon S3 storage services, contained hundreds of GB of sensitive data, including secret API data, authentication credentials, certificates, decryption keys, customer information, and more.
UpGuard researcher Dan O'Sullivan said in a blog that the exposed servers were discovered by Vickery on 17 September. However, it remains unclear as to how long the servers remained exposed before they were found. IBTimes UK has reached out to Accenture for further clarity on the matter and is awaiting a response.
Vickery told ZDNet that the four servers contained data that could be considered the "keys to the kingdom".
The data left exposed included Accenture's Google and Azure accounts, VPN keys, nearly 40,000 plaintext passwords and more. One of the largest exposed servers contained over 137 GB of data, some of which included massive databases of credentials directly related to Accenture's clients.
"Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage," O'Sullivan said.
"It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company's IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients."
Varun Badhwar, CEO and co-founder of RedLock told IBTimes UK, that the firm's security team uncovered that 53% of organisations using cloud storage services have "inadvertently exposed one or more such service to the public" and "administrative user accounts at 38% of organisations have been compromised."
"This is worrisome because this number is up from 40% as reported by the team earlier in May and occurring despite warnings from Amazon to customers about the risks of misconfigurations," Badhwar said.
"The fact that a large database of credentials was compromised in this breach creates additional opportunities for hackers to infiltrate the network. It's imperative that any organisation facing this type of incident replace all compromised credentials immediately. But more importantly, they must vigilantly monitor their environments for intrusions by looking for suspicious activities to contain any potential breaches."