‘IndieFlix’ Has Exposed 93,867 Sensitive Files via S3 Server Misconfiguration [Update]

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The latest company to blunder hugely by misconfiguring its Amazon S3 server for password-less access is ‘IndieFlix,’ a subscription-based video streaming service specialized in “indie” productions, features films, and documentaries. The leaky bucket discovery came from CyberNews researchers, who found 93,867 files in the server that contained very sensitive data.

The team contacted IndieFlix immediately on July 15, 2020, but the platform failed to respond timely. On July 22, 2020, CyberNews reached out to Amazon, and after they informed the owner directly, the database got finally secured.

The data that has been exposed online includes the following:

agreement

Source: CyberNews

w9_form

Source: CyberNews

From what can be deduced, no subscriber data has been exposed in this incident. However, filmmakers, distribution agents, and various professionals working in the film industry have had their extremely sensitive data compromised. Tax IDs, emails, phone numbers, street addresses, full names, signatures, and SSNs make up for a catastrophic cocktail of information that can be used for anything, from simple scams to sophisticated identity theft scenarios.

Several of these things cannot be reset, so there really is no way to effectively manage the risks other than to be very careful with incoming messages and to monitor all activities around your name. Registering for an identity theft monitoring service would also be a great idea if you’re affected by this incident.

IndieFlix eventually had communication with CyberNews and admitted that the exposed documents were uploaded to the particular server by mistake. These files were typically stored in a secure private drive, not in the AWS server, but an old backup was somehow mistakenly uploaded there. Indeed, the fact that the files date between 2013 and 2016 confirms this scenario.

As for the duration of the exposure, IndieFlix managed to trace the initial upload’s timestamp, and it apparently occurred back in May 2015. Even though that’s more than five years, the platform states that they see no signs of malicious access, but that’s very unlikely to be the case.

UPDATE: The CEO and co-founder of IndieFlix, Scilla Andreen, has provided TechNadu with the following clarifications on the present story:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: