According to cybersecurity firm WizCase, a terabyte of data comprising 5.5 million files was left exposed online, disclosing the personal information of more than 100,000 clients of a Colombian real estate agency.
The researchers from Ata Hakçıl said that the leaked data wasn’t encrypted and no password or login credentials were required to access it. The data leak was found in a misconfigured Amazon Web Services (AWS) Simple Storage Service (S3) bucket.
It has resulted in the disclosure of sensitive information such as clients’ names, pictures, and addresses. The files in the bucket include invoices, income papers, quotations, and account statements from 2014 to 2021.
The following is a complete list of the leaked information:
- Full names
- Phone numbers
- Email addresses
- Residential addresses
- Amounts paid for estates, and
- Asset values
Moreover, additional information such as profile photos, usernames, and hashed passwords are claimed to be included in the database backup on the bucket. The researchers also discovered malicious backdoor code in the bucket, which could be used to obtain continued access to the website and lead unwary users to fake pages.
It’s unclear whether or not these files were used in any campaign by malicious actors. However, the misconfiguration disclosed $140 to $200 billion in transactions, or a $46 billion yearly transaction history, based on a sampling of the papers. This amount is around 14% of the total economy of Colombia.
Because of the database’s highly confidential nature, cybercriminals can use it to launch phishing attacks and engage in various fraud or scam activities, such as tricking users into making additional payments or, worse, revealing more personal information by messing with the website’s backend infrastructure.