Plain text passwords and AWS secret keys among leaked info

Oct 23, 2018 19:04 GMT  ·  By

A misconfigured Amazon S3 bucket containing 73 Gigabytes of data from Washington-based internet service provider Pocket iNet was found to be publicly accessible by UpGuard's Cyber Risk team on October 11, 2018.

After initially stumbling upon the Amazon S3 bucket, Upguard notified Pocket iNet the same day about the incident via both e-mail and phone contact channels.

Pocket iNet initially confirmed the data leak and managed to fix the information exposure in seven days after the initial disclosure.

As discovered by UpGuard, the exposed S3 bucket contained a lot of sensitive information from Pocket iNet employees' AWS secret keys and plain text passwords to configuration details and inventory lists, as well as internal network diagramming.

The leaked plain text passwords were used as credentials for a number of services and devices such as servers, firewalls, wireless access points, core routers and switches.

Furthermore, given that most of the usernames paired with the plain text passwords were either "admin" or "root," a malicious actor who would get access to this information would have gained full access to various Pocket iNet network infrastructure components.

UpGuard's findings show that critical infrastructure such as ISPs are as susceptible to accidental data leaks as home users

Pocket iNet's leaked network configuration information when paired with the plain text credentials could have allowed attackers to gain complete control of the ISP's entire infrastructure with little to no effort.

In addition, the leaked database also contained photographs of Pocket iNet equipment, including cabling, routers, and towers, which could be used by attackers to gain knowledge into Pocket iNet's internal network infrastructure.

Although the S3 bucket named "pinapp2" exposed a lot of sensitive information, luckily only the "tech" folder was actually accessible which raises the question what other data would've been compromised if the entire bucket was downloadable.

"Misconfigured Amazon S3 storage is responsible for many large scale unintentional data exposures," says UpGuard in their report. "Although buckets are private by default, accidental or misinformed changes to the bucket’s access control list (ACL) can make the contents visible to the internet at large just by navigating to the bucket URL."

Photo Gallery (4 Images)

Pocket iNet data leak
Leaked Pocket iNet informationLeaked Pocket iNet information
+1more