Viacom data leak: 'Keys to the media kingdom', critical info exposed in major cloud storage error

Viacom accidentally left a trove of key internal access credentials, critical data and configuration files exposed on an unsecured Amazon server that could have allowed hackers to cause grave damage to the media empire's array of entertainment companies and brands. The powerful Fortune 500 company owns a number of major media companies and cable channels including Paramount Pictures, Comedy Central, and Nickelodeon among others.

Chris Vickery, director of Cyber Risk Research at UpGuard, discovered the vulnerable Amazon Web Services S3 cloud storage bucket on 30 August that was mistakenly configured for public access, potentially allowing anyone with the correct URL to access and download the confidential data.

The exposed repository contained 72 compressed .tgz files in a folder named "mcs-puppet" that seemed to contain the primary or backup configuration of Viacom's IT infrastructure, researchers said.

Besides passwords and manifests from Viacom's servers, the bucket contained the media giant's access key and secret key for its AWS account. Although some of the data was encrypted using GPG, the bucket also contained the GPG decryption keys that could have unlocked the sensitive data.

"Exposed in the leak are a master provisioning server running Puppet, left accessible to the public internet, as well as the credentials needed to build and maintain Viacom servers across the media empire's many subsidiaries and dozens of brands," UpGuard said in a blog post. "Perhaps most damaging among the exposed data are Viacom's secret cloud keys, an exposure that, in the most damaging circumstances, could put the international media conglomerate's cloud-based servers in the hands of hackers."

UpGuard researchers warned that the mistake could have allowed nefarious actors to launch a host of damaging cyberattacks against the media behemoth.

"This cloud leak exposed the master controls of the world's sixth-largest media corporation, potentially enabling the takeover of Viacom's internal IT infrastructure and internet presence by any malicious actors," researchers said.

The server was secured by Viacom on 31 August, hours after UpGuard notified the company. It is unclear how long the data was exposed and if any hackers have accessed the sensitive files. Viacom said there was no evidence to suggest that its data was abused by hackers and noted that no customer details were exposed in the leak.

"The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen," the firm said. "Once Viacom became aware that information on a server - including technical information, but no employee or customer information - was publicly accessible, we rectified the issue."

The exposure is the latest in a slew of S3 buckets and cloud-related data leaks discovered by security researchers that were inadvertently left exposed due to cloud configuration errors.

"The leaked Viacom data is remarkably potent and of great significance, an important reminder that cloud leaks need not be large in disk size to be devastating; when it comes to data exposures, quality can be as vital as quantity," UpGuard said.

"Analysis of the Viacom leak reveals nothing less than this: the keys to a media kingdom were left publicly accessible on the internet, completely compromising the integrity of Viacom's digital infrastructure."