Hundreds of databases are inadvertently exposing data, including personally identifiable information (PII), on the internet. Incident response company Mitiga discovered that owners of hundreds of Amazon Relational Database Service (RDS) snapshots are unintentionally jeopardizing user privacy and inviting other cyber risks.
Mitiga researchers Ariel Szarf, Doron Karmi, and Lionel Saposnik came across “a lot of snapshots that were shared publicly for a few hours, days, and even weeks — either intentionally or by mistake.â€
Amazon Relational Database Service (RDS) snapshots are point-in-time copies of databases that enable admins to back up databases. Snapshots can be created for a specified period of time to create backups, migrate data, etc.
Erich Kron, security awareness advocate at KnowBe4, told Spiceworks, “While cloud storage is convenient, it can also be a bit tricky for people who are not familiar with it to secure. The ability to do snapshots and share them, while very convenient, it’s something that can easily lead to issues that leave information exposed,†especially if you set the snapshot to be public.
Mitiga anonymized a few snapshots, detailed their contents, and the amount of time they were exposed and at risk of being exploited. For instance, snapshots of databases belonging to a car rental company and a telephone applications company were found to expose and potentially leak data for as long as a month.
These RDS snapshots contained PII such as names (first and last), phone numbers, email IDs, marital status, special occasions associated with customers (birthdays, anniversaries, etc.), full names of company employees; business details such as enquiry_segment (Personal, Company, Commercial, Captive, Fleet Owner, Hire, Individual, Institutional), organizations’ IDs and names, customer category type (B2B/B2C); and rental information such as car model and delivery dates.
RDS Snapshot of a Database Owned by a Car Rental Company Leaking PII and Other Data | Source: MitigaOpens a new window
The one owned by the telecom company contained user ID (equivalent to email addresses), phone device models, mac addresses, client access tokens and application ID. Worryingly, a third snapshot of a database owned by a dating application that Mitiga assessed contained password hashes and links to personal images links besides emails and birthdates.
See More: Global Cybersecurity Workforce Gap Up 26% to 3.4M, Finds (ISC)²’s 2022 Study
Overall, Mitiga observed 2,783 RDS snapshots in November, 1,859 of which were publicly exposed for one or two days, while 810 snapshots were exposed and at risk of data being stolen for 30 days.
Amazon likely notified the owners via email that their snapshots were public. But 810 of them being exposed for a month suggest the emails fell on deaf ears. Either way, admins consciously failed to secure these RDS snapshots.
“For organizations that store or process data within the cloud, processes should be in place to ensure that data remains protected even after making changes,†Kron continued. “The practice of having a second person confirm the permissions on data, while it can be inconvenient, can potentially save a lot of labor and the potential for fines, especially in heavily regulated industries.â€
The apathy of admins towards security allowed Mitiga researchers to scan, clone, list, prepare (creation of a database instance from Amazon Resource Names), extract, and cleanup (delete) exposed snapshots. There is also no way to know if the exposed snapshots were copied.
Mitiga researchers outlined exposed RDS snapshots by the geography, database engine being used, and other aspects. The company recommends that organizations adopt the principle of least privilege to avoid giving unnecessary permissions, and encrypt any snapshots they may create.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock