Accenture exposed by misconfigured AWS storage

By

Security keys and 40,000 plaintext passwords.

Accenture is the latest big firm found to be operating misconfigured Amazon S3 storage buckets, exposing security credentials and customer information in the process.

Accenture exposed by misconfigured AWS storage

Security researchers at UpGuard - which discovered other similar incidents affecting Dow Jones, Verizon, Viacom and Booz Allen Hamilton - said that found four S3 buckets run by Accenture that had been “configured for public access”.

The buckets contained “significant internal Accenture data, including cloud platform credentials and configurations”, UpGuard said in a blog post.

The researchers immediately notified Accenture and the buckets were secured within the day.

“All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform,” the researchers said.

One of the exposed buckets contained “the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, exposing an unknown number of credentials to malicious use.”

Also exposed were private signing keys, VPN keys, complete event logs, and large database dumps, including “a collection of nearly 40,000 plaintext passwords ... in one of the database backups.”

Many of the passwords in the files, however, were hashed.

UpGuard said that the misconfiguration “could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks”.

The discovery came despite efforts by Amazon back in July to get S3 customers to review their configurations and potentially rethink whether they needed buckets that were open access.

In the same month, an unsecured S3 repository exposed the personal details of between 2.2 million and 4 million customers of Dow Jones.

A third-party vendor working with American telco giant Verizon also left the data of as many as 14 million United States customers exposed on a misconfigured server.

In September, Viacom suffered a similar misconfiguration issue that exposed a full set login credentials for the media giant and its subsidiaries.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
accentureaccessawsinformation securityinfosecpublics3securitystorage

Sponsored Whitepapers

Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks

Events

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?