- The data leak occurred due to a misconfigured Amazon S3 storage bucket that had no password.
- The leaked plain text passwords mainly belonged to Pocket iNet employees and almost all of them were named either “root” or “admin”.
An unprotected server at the little-known Washington-based Internet service provider Pocket iNet publicly exposed 73GB of data. This includes AWS secret keys, passwords and corporate information that were at least six months old.
Cybersecurity firm UpGuard revealed the incident on October 23, 2018. UpGuard researchers discovered that the data leak was caused by a misconfigured Amazon S3 storage bucket that had no password. This would have allowed hackers to gain access to the information stored in the bucket without the need for any authorization.
“Among the data exposed were lists of plain text passwords and AWS secret keys for Pocket iNet employees, internal network diagramming, configuration details, and inventory lists, and photographs of Pocket iNet equipment, including routers, cabling, and towers,” UpGuard researchers said in a blogpost.
The firm discovered the unsecured bucket - named pinapp2 - on October 11, 2018. Upon analysis, experts found that 73GB of data that includes spreadsheets, pictures and diagrams that belonged to Pocket iNet was freely available to anyone on the internet.
Although a good amount of information was exposed, UpGuard researchers said that “not all of the bucket contents were downloadable”.
The leaked plain text password mainly belonged to Pocket iNet employees. Almost all the passwords were named “root” or “admin”, which indicated that these compromised accounts may have been used for high-level privileges.
“Nearly all of these accounts were named "root" or "admin," meaning that these credentials likely offer full access to read and modify the assets to which they pertain. The malicious potential should these credentials fall into the hands of a bad actor is extremely high, creating risk for the entire Pocket iNet network infrastructure,” the researchers explained.
The leaked data also included a list of “priority customers”, namely, Lockheed Martin, Toyota, the Richland School District and the Lourdes Medical Center.
Containing the crisis
UpGuard researchers said that the firm notified the ISP about the data leak on the day of its discovery. However, it took Pocket iNet almost seven days to secure the exposure.
“Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using the contact information found within the exposed dataset,” Upguard researchers said.
“The accidental exposure of administrative credentials, as in the case of Pocket iNet, makes it easy for a potential malicious actor to exploit resources for their own agenda,” the researchers added. “Technology based businesses-- which is nearly every business today-- must understand and proactively mitigate the risk of unintentional data exposure to protect themselves and their customers.”