Japanese game developer Ateam has proven that a simple Google Drive configuration mistake can result in the potential but unlikely exposure of sensitive information for nearly one million people over a period of six years and eight months.
The insecurely configured Google Drive instance contained 1,369 files with personal information on Ateam customers, Ateam business partners, former and current employees, and even interns and people who applied for a position at the company.
Ateam has confirmed that 935,779 individuals had their data exposed, with 98.9% being customers.
For Ateam Entertainment specifically, 735,710 people have been exposed.
The company says it has seen no concrete evidence of threat actors having stolen the exposed information but urges people to remain vigilant for unsolicited and suspicious communications.
If an employee, or someone else with the link, mistakenly exposed it publicly, it could get indexed by search engines and become broadly accessible.
While it's unlikely that anyone found an exposed Google Drive URL on their own, this notification demonstrates a need for companies to properly secure their cloud services to prevent data from being mistakenly exposed.
It is very common for threat actors and researchers to find exposed cloud services, such as databases and storage buckets, and download the data contained in them.
While researchers usually responsibly disclose the exposed data, if threat actors find it, it can lead to bigger problems as they use it to extort companies or sell it to other hackers to use in their own attacks.
In 2017, security researcher Chris Vickery found misconfigured Amazon S3 buckets exposing databases containing 1.8 billion social and forum posts made by users worldwide.
Ten days later, the same researcher discovered another misconfigured S3 bucket that exposed what appeared to be classified information from INSCOM. While those breaches were responsibly disclosed, other cloud service misconfigurations have led to the data being leaked or sold on hacker forums.
Misconfigured Amazon S3 buckets have become a big enough problem that researchers have released tools that scan for exposed buckets.
The US Cybersecurity and Infrastructure Security Agency has also released guidance for companies on how to properly secure cloud services.
EasyPark discloses data breach that may impact millions of users.
Kroll reveals FTX customer info exposed in August data breach.
Panasonic discloses data breach after December 2022 cyberattack.
Mortgage firm LoanCare warns 1.3 million people of data breach.
New Xamalicious Android malware installed 330k times on Google Play.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 01 Jan 2024 14:25:13 +0000