Home

Awesome

YAS3BL (Yet Another S3 Bucket Leak)

πŸ”“ Enumerating all the AWS S3 bucket leaks that have been discovered to date.

CompanyLinkRecords ExposedData
<h4>211 LA County</h4>πŸ”—3.2 millionFiles include access credentials for 211 system operators, email addresses for contacts and registered resources of LA County 211, and detailed call notes, including full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers.
<h4>Accenture</h4>πŸ”—137+ GB4 S3 buckets exposing secret API data, authentication credentials, 40,000 plaintext passwords, credentials for GCP and Azure accounts, SSL certificates, private decryption keys, production VPN keys for internal/private networks, database dumps, user IP addresses, JSESSION IDs.
<h4>AgentRun</h4>πŸ”—Names, addresses, dates of birth, phone numbers, income ranges, social security numbers (SSNs), driver licenses, armed forces and voter identification cards, bank checks, insurance policy documents, health and medical information (e.g. prescriptions and dosages), and some financial data. Insurance companies found in the data included Cigna, TransAmerica, SafeCo, Schneider Insurance, Manhattan Life, Everest - to name a few.
<h4>Alliance Direct Lending Corporation</h4>πŸ”—1 millionNames, addresses, credit scores and partial Social Security numbers
<h4>Alteryx</h4>πŸ”—123 millionData sets belonging to Experian and US Census Bureau, containing personal details of 198 million American voters and 123 million American household PII data such as home addresses, contact information, morgage ownership, financial histories, and purchasing behaviors.
<h4>Australian Broadcasting Company</h4>πŸ”—50,000Personal data of Australian employees of several government agencies, banks, and a utility company, including full names, passwords, IDs, phone numbers, email addresses, credit card numbers, salaries and expenses.
<h4>Booz Allen Hamilton</h4>πŸ”—UndisclosedTop Secret data from DoD, Pentagon, and National Geospatial Intelligence Agency (NGA), SSH keys, credentials granting access to data center Operating System
<h4>DeepRoot Analytics</h4>πŸ”—200 million1.1 Terabytes worth of data on registered voters
<h4>Department of Defense</h4>πŸ”—1.8 billionThree (3) S3 buckets containing 1.8 billion posts of scraped internet content over the last 8 years.
<h4>Dow Jones</h4>πŸ”—2.2 - 4 millionNames, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications
<h4>ES&S</h4>πŸ”—1.8 millionChicago voter names, addresses, date-of-births, partial SSNs, Driver Licenses, and state ID numbers
<h4>Fedex</h4>πŸ”—119,000Scanned documents of US and international citizens, such as passports, driver licenses, security IDs, home addresses, phone numbers, zip codes
<h4>Groupize</h4>πŸ”—38,000Credit Card numbers, expiration dates, CVV codes
<h4>Honda</h4>πŸ”—50,000Names, phone numbers and email addresses for users and their trusted contacts, passwords, gender, information about their cars including VIN, Connect IDs.
<h4>MBM Company Inc.</h4>πŸ”—1.3 millionNames, addresses, zip codes, phone numbers, email addresses, ip addresses, plaintext passwords
<h4>Mexico's Electoral Authority (INE)</h4>πŸ”—93.4 millionMexican voter registration data
<h4>National Credit Federation</h4>πŸ”—111 GBInternal personal and financial data of tens of thousands of customers.
<h4>NSA</h4>πŸ”—47 filesHighly sensitive INSCOM data. Some data was 'NOFORN' classified, indicating high sensitivity that cannot be shared with foreign allies
<h4>Octoly</h4>πŸ”—12,000A database backup, called octoly_production.sql, exposed real names, addresses, phone numbers, email addresses, birth dates of thousands of influential online personalities (Instagram, Twitter, and YouTube personalities), like Dior, Lancome, and Blizzard Entertainment
<h4>Patient Home Monitoring</h4>πŸ”—316,36347.5 GB PDF medical records containing weekly blood test results, patient names, addresses, and phone numbers. Development server backups. Doctor's names, case management notes, and additional client information.
<h4>SVR Tracking</h4>πŸ”—540,642Tracking unit information including usernames, passwords, emails, Vehicle Identification Numbers, license plate numbers, IMEI numbers of GPS devices, specific location where the tracking units were hidden, information on customers and 427 dealerships, 116 GB of hourly backups, 8.5 GB of daily backups from 2017, and 339 log documents
<h4>TigerSwan</h4>πŸ”—9,402Resumes of Top Secret US military veterans names, addresses, phones, emails, Driver License numbers, passport numbers, partial SSNs
<h4>Time Warner/BroadSoft</h4>πŸ”—4 million600 GB worth of data including usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information
<h4>Verizon</h4>πŸ”—14 millionVerizon customer names, addresses, account details, and Personal Identification Numbers (PIN)
<h4>Verizon</h4>πŸ”—100 MBData from internal Verizon Wireless system (DVS), 129 Outlook messages, logs, server names & info, admin usernames & passwords
<h4>Viacom</h4>πŸ”—72 filesEncrypted compressed archives containing backup of company's IT infrastructure and private GPG keys used to encrypt the compressed archives
<h4>WWE</h4>πŸ”—3,065,805Fans names, physical addresses, email addresses, earnings, ethnicity, children’s age ranges, birthdates and additional personally identifiable information