Accenture is the latest big firm found to be operating misconfigured Amazon S3 storage buckets, exposing security credentials and customer information in the process.
Security researchers at UpGuard - which discovered other similar incidents affecting Dow Jones, Verizon, Viacom and Booz Allen Hamilton - said that found four S3 buckets run by Accenture that had been “configured for public access”.
The buckets contained “significant internal Accenture data, including cloud platform credentials and configurations”, UpGuard said in a blog post.
The researchers immediately notified Accenture and the buckets were secured within the day.
“All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform,” the researchers said.
One of the exposed buckets contained “the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, exposing an unknown number of credentials to malicious use.”
Also exposed were private signing keys, VPN keys, complete event logs, and large database dumps, including “a collection of nearly 40,000 plaintext passwords ... in one of the database backups.”
Many of the passwords in the files, however, were hashed.
UpGuard said that the misconfiguration “could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks”.
The discovery came despite efforts by Amazon back in July to get S3 customers to review their configurations and potentially rethink whether they needed buckets that were open access.
In the same month, an unsecured S3 repository exposed the personal details of between 2.2 million and 4 million customers of Dow Jones.
A third-party vendor working with American telco giant Verizon also left the data of as many as 14 million United States customers exposed on a misconfigured server.
In September, Viacom suffered a similar misconfiguration issue that exposed a full set login credentials for the media giant and its subsidiaries.