Another day, another unprotected Amazon S3 bucket was left unprotected and accessible by anyone with a web browser. The contents of the bucket include CSV files of about 7 GB, which were populated with lists of unhashed email addresses. The number of the strings exposed is approximately 350,000,000, so this was a pretty massive collection of email addresses.
The discovery and the reporting come from the CyberNews research team, who couldn’t figure out who is the owner of the unprotected database. Thus, they contacted Amazon directly on June 10, 2020, and the internet company closed the bucket almost immediately.
More specifically, the contents of the S3 bucket were the following:
The unsecured bucket remained online for at least 18 months, so the possibility of malicious access should be considered a certainty. With that taken for granted, the question should be what the consequences are.
First of all, actors could use these CSV files for spamming 350 million email addresses. Secondly, these addresses could be used for phishing attacks and malware/botnet spreading campaigns. Thirdly, knowing the email address of someone is the first step required for taking over the account, so brute-forcing the passwords is the worst possible scenario. Hackers could search the email address on breach data indexes and get more relevant details that could help them with their brute-forcing effort.
The researchers estimate the value of this leak to be between $17,500 and $175,000, depending on the actual quality of the content.
As for what the exposed individuals can do now, first, check if you’re included in the particular database. If you find that you are, reset your email password and pick something strong that you’re not using anywhere else. From now on, treat incoming communications with extra care - although this is something that you should be doing anyway. If the volume of spam you’re getting increases suddenly, you will at least know the reason why that happens.