Brought to you by ITPro
Accenture left four Amazon Web Services (AWS) S3 buckets open and downloadable to the public, containing software for its Accenture Cloud Platform enterprise cloud offering and other sensitive internal data, security researchers said today.
The unsecured AWS S3 buckets were discovered by UpGuard security researcher Chris Vickery on Sept. 17, 2017, and revealed "significant internal Accenture data, including cloud platform credentials and configurations." Credentials for Accenture's Google and Azure accounts also appeared to be stored in one of the buckets, which could have far-reaching consequences in the hands of a malicious actor.
The servers were secured the next day after UpGuard Director of Cyber Risk Research Vickery notified Accenture.
The company, which provides consulting and professional services, is not the first to have had unsecured AWS S3 buckets discovered by UpGuard. Earlier this year, Vickery notified Verizon, and election data firm Deep Root Analytics about AWS S3 buckets open to the public, exposing tens of millions of customer and voter records, respectively.
In a blog post on Tuesday, Vickery said that this exposure could have been prevented with a simple password requirement added to each bucket. His recommendation comes as a new survey by OneLogin finds that IT pros are failing to enforce password policies.
Accenture's AWS S3 buckets contained internal access keys and credentials for use by the Identity API, plaintext
Is Offshore Hosting For You?
Find out why you too should be hosting offshore. Click here now!