Awesome
YAS3BL (Yet Another S3 Bucket Leak)
π Enumerating all the AWS S3 bucket leaks that have been discovered to date.
| Company | Link | Records Exposed | Data |
|---|---|---|---|
| <h4>211 LA County</h4> | π | 3.2 million | Files include access credentials for 211 system operators, email addresses for contacts and registered resources of LA County 211, and detailed call notes, including full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers. |
| <h4>Accenture</h4> | π | 137+ GB | 4 S3 buckets exposing secret API data, authentication credentials, 40,000 plaintext passwords, credentials for GCP and Azure accounts, SSL certificates, private decryption keys, production VPN keys for internal/private networks, database dumps, user IP addresses, JSESSION IDs. |
| <h4>AgentRun</h4> | π | Names, addresses, dates of birth, phone numbers, income ranges, social security numbers (SSNs), driver licenses, armed forces and voter identification cards, bank checks, insurance policy documents, health and medical information (e.g. prescriptions and dosages), and some financial data. Insurance companies found in the data included Cigna, TransAmerica, SafeCo, Schneider Insurance, Manhattan Life, Everest - to name a few. | |
| <h4>Alliance Direct Lending Corporation</h4> | π | 1 million | Names, addresses, credit scores and partial Social Security numbers |
| <h4>Alteryx</h4> | π | 123 million | Data sets belonging to Experian and US Census Bureau, containing personal details of 198 million American voters and 123 million American household PII data such as home addresses, contact information, morgage ownership, financial histories, and purchasing behaviors. |
| <h4>Australian Broadcasting Company</h4> | π | 50,000 | Personal data of Australian employees of several government agencies, banks, and a utility company, including full names, passwords, IDs, phone numbers, email addresses, credit card numbers, salaries and expenses. |
| <h4>Booz Allen Hamilton</h4> | π | Undisclosed | Top Secret data from DoD, Pentagon, and National Geospatial Intelligence Agency (NGA), SSH keys, credentials granting access to data center Operating System |
| <h4>DeepRoot Analytics</h4> | π | 200 million | 1.1 Terabytes worth of data on registered voters |
| <h4>Department of Defense</h4> | π | 1.8 billion | Three (3) S3 buckets containing 1.8 billion posts of scraped internet content over the last 8 years. |
| <h4>Dow Jones</h4> | π | 2.2 - 4 million | Names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications |
| <h4>ES&S</h4> | π | 1.8 million | Chicago voter names, addresses, date-of-births, partial SSNs, Driver Licenses, and state ID numbers |
| <h4>Fedex</h4> | π | 119,000 | Scanned documents of US and international citizens, such as passports, driver licenses, security IDs, home addresses, phone numbers, zip codes |
| <h4>Groupize</h4> | π | 38,000 | Credit Card numbers, expiration dates, CVV codes |
| <h4>Honda</h4> | π | 50,000 | Names, phone numbers and email addresses for users and their trusted contacts, passwords, gender, information about their cars including VIN, Connect IDs. |
| <h4>MBM Company Inc.</h4> | π | 1.3 million | Names, addresses, zip codes, phone numbers, email addresses, ip addresses, plaintext passwords |
| <h4>Mexico's Electoral Authority (INE)</h4> | π | 93.4 million | Mexican voter registration data |
| <h4>National Credit Federation</h4> | π | 111 GB | Internal personal and financial data of tens of thousands of customers. |
| <h4>NSA</h4> | π | 47 files | Highly sensitive INSCOM data. Some data was 'NOFORN' classified, indicating high sensitivity that cannot be shared with foreign allies |
| <h4>Octoly</h4> | π | 12,000 | A database backup, called octoly_production.sql, exposed real names, addresses, phone numbers, email addresses, birth dates of thousands of influential online personalities (Instagram, Twitter, and YouTube personalities), like Dior, Lancome, and Blizzard Entertainment |
| <h4>Patient Home Monitoring</h4> | π | 316,363 | 47.5 GB PDF medical records containing weekly blood test results, patient names, addresses, and phone numbers. Development server backups. Doctor's names, case management notes, and additional client information. |
| <h4>SVR Tracking</h4> | π | 540,642 | Tracking unit information including usernames, passwords, emails, Vehicle Identification Numbers, license plate numbers, IMEI numbers of GPS devices, specific location where the tracking units were hidden, information on customers and 427 dealerships, 116 GB of hourly backups, 8.5 GB of daily backups from 2017, and 339 log documents |
| <h4>TigerSwan</h4> | π | 9,402 | Resumes of Top Secret US military veterans names, addresses, phones, emails, Driver License numbers, passport numbers, partial SSNs |
| <h4>Time Warner/BroadSoft</h4> | π | 4 million | 600 GB worth of data including usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information |
| <h4>Verizon</h4> | π | 14 million | Verizon customer names, addresses, account details, and Personal Identification Numbers (PIN) |
| <h4>Verizon</h4> | π | 100 MB | Data from internal Verizon Wireless system (DVS), 129 Outlook messages, logs, server names & info, admin usernames & passwords |
| <h4>Viacom</h4> | π | 72 files | Encrypted compressed archives containing backup of company's IT infrastructure and private GPG keys used to encrypt the compressed archives |
| <h4>WWE</h4> | π | 3,065,805 | Fans names, physical addresses, email addresses, earnings, ethnicity, childrenβs age ranges, birthdates and additional personally identifiable information |