Amazon Web Services is contacting customers with S3 buckets that are configured to be freely accessed by anyone on the internet to review access controls following the leak of two million Dow Jones user details.
It said the number could be as high as 4 million. The data exposed included people's names, addresses, account information, email addresses, and the last four digits of their credit card numbers.
The data was stored in an AWS S3 bucket configured to allow access to 'authenticated users', which in AWS language means anyone with an AWS account, which is free to obtain.
Last week a similar data breach at US telco Verizon exposed 6 million customer records through an unprotected S3 server.
And in June, a trove of top secret data managed by government security contractor Booz Allen Hamilton was left accessible to the web through the same misconfiguration.
Emails circulated to AWS customers, sighted by iTnews, warns those with open access to S3 buckets to reconsider this configuration.
"We’re writing to remind you that one or more of your Amazon S3 bucket access control lists (ACLs) are currently configured to allow access from any user on the internet," the cloud giant said.
"While there are reasons to configure buckets with world read access, including public websites or publicly downloadable content, recently, there have been public disclosures by third parties of S3 bucket contents that were inadvertently configured to allow world read access but were not intended to be publicly available.
"We encourage you to promptly review your S3 buckets and their contents to ensure that you are not inadvertently making objects available to users that you don’t intend."
S3 access control lists can be changed through the management console or command line interface.
By default S3 buckets are set to allow read access only to the account owner.