Over the last few years there have been multiple examples of leaky cloud services, exposing million of user records (with easily predictable consequences for the privacy of the unaware victims), or even fueling other attacks such in case of the two Magecart campaigns carried out compromising the AWSS3 buckets hosting the targeted sites’ configuration files.
And despite AWS S3 is the most common service to leak data, it’s not the only one, as you will notice. Last but not least, I will keep this list updated as soon as new cloud breaches will be revealed during 2021.
As always, thanks for sharing and supporting my work for spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin.
Date Reported
Date Disovered
Company
Description
Cloud Service
Data Exposed
Country
Link
Sector
04/01/2021
4/1/2021
Nissan North America
The source code of mobile apps and internal tools developed and used by Nissan North America leakes online after the company misconfigured one of its Git servers.
BitBucket
Source code of mobile apps and internal tools
US
C Manufacturing
14/01/2021
18/8/2020
Juspay
The data of 35 million users from Juspay goes on sales in the dark web
AWS S3
35 million users
IN
K Financial and insurance activities
15/01/2021
12/9/2020
CHS Consulting
Thousands of UK business professionals have had their personal details exposed online via a leaky Amazon Web Services bucket.
AWS S3
1000s of personal documents including passports.
UK
M Professional scientific and technical activities
19/01/2021
13/10/2020
Fleek
A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted.
AWS S3
32 Gb (377,000 files)
US
R Arts entertainment and recreation
19/01/2021
During December 2020
Nohow International
An unsecured Microsoft Azure Blob leaks deeply sensitive documents of more than 12,000 construction workers, including scans of passports, national IDs, birth certificates, and tax returns.
Microsoft Azure
Sensitive documents of more than 12,000 construction workers
UK
N Administrative and support service activities
20/01/2021
-
Pixlr
ShinyHunters shares a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.
AWS S3
1.9 million user records
US
R Arts entertainment and recreation
24/01/2021
-
MeetMindful
The hacking group ShinyHunters leaks personal information of over 2 million MeetMindful users.
AWS S3
2.8 million user records
US
R Arts entertainment and recreation
29/01/2021
1/12/2020
Imobiliare
The largest real estate portal in Romania, Imobiliare, suffers a data breach after a bucket was found to be exposed, without password protection or encryption.
AWS S3
201,087 files belonging to 200,000 people
RO
N Administrative and support service activities
01/02/2021
20/11/2020
Confédération Européenne de Volleyball (CEV), or European Volleyball Confederation.
A publicly exposed cloud storage bucket was found to contain images of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world.
Microsoft Azure
Images of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world.
EU
R Arts entertainment and recreation
17/02/2021
16/2/2021
Amber Group
A security lapse by a Jamaican government contractor exposes immigration records and COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year.
AWS S3
70,000 negative COVID-19 lab results, over 425,000 immigration documents, and over 250,000 quarantine orders dating back to June 2020
JM
Q Human health and social work activities
25/02/2021
30/9/2020
Inova
A data leak containing private information about Turkish Citizens through a misconfigured Amazon S3 bucket leaks 55,000 court papers regarding over 15,000 legal cases, which affected hundreds of thousands of people.
AWS S3
55,000 court papers regarding over 15,000 legal cases
TR
M Professional scientific and technical activities
01/03/2021
21/1/2021
Ticketcounter
Ticketcounter suffers a data breach after a user database containing 1.9 million unique email addresses is stolen from an unsecured staging server.
Microsoft Azure
1.9 million user records
NL
R Arts entertainment and recreation
02/03/2021
12/2/2021
Mariana Tek
Mariana Tek, a US-based software company. The unsecured bucket contained more than 1.5 million user records, including usernames, full names, street and email addresses, phone numbers, postal codes, account balances, and more.
AWS S3
1.5 million user records
US
M Professional scientific and technical activities
03/03/2021
24/12/2020
CallX
US telemarketing company leaks the personal details of potentially tens of thousands of consumers after misconfiguring a cloud storage bucket.
AWS S3
485GB containing more than 114.000 files belonging to 10,000-100,000 people
US
N Administrative and support service activities
10/03/2021
22/02/2021
Premier Diagnostics
Utah-based COVID-19 testing service Premier Diagnostics exposes thousands of ID scans.
AWS S3
207,524 images of roughly 52,000 patients’ photo ID scans
US
Q Human health and social work activities
10/03/2021
14/12/2020
Mobile Anesthesiologists
Mobile Anesthesiologists exposes the ePHI of 65,403 patients.
Microsoft Azure
Data of 65,403 patients
US
Q Human health and social work activities
15/03/2021
24/12/2020
Aljex Software
103 GB worth of data belonging to Aljex Software is left exposed on a misconfigured AWS S3 Bucket.
AWS S3
4,361 files (103 GB)
US
M Professional scientific and technical activities
22/03/2021
During 2020
Hobby Lobby
Hobby Lobby exposes a large amount of data online, including customer names, phone numbers, physical and email addresses, and the last four digits of their payment card.
AWS S3
300,000 users' data (138 GB)
US
R Arts entertainment and recreation
23/03/2021
During December 2020
Avianis
Private aviation services provider Solairus Aviation announces that some employee and customer data was compromised in a security incident at third-party vendor Avianis.
Microsoft Azure
Customer Data
US
M Professional scientific and technical activities
30/03/2021
During February 2021
MobiKwik
Private information of nearly 100 million users of the Indian mobile payments startup is leaked in the dark web
AWS S3
100M users (8.2 TB)
IN
K Financial and insurance activities
01/04/2021
01/03/2021
New York Foundling
The New York Foundling leaks more than 2,000 CSV and TXT files from an unsecured Microsoft Azure Blob publicly accessible.
Microsoft Azure
2,000 CSV and TXT files, each with hundreds or thousands of entries related to patients’ medical records
US
Q Human health and social work activities
01/04/2021
Since at least December 2020
Med-Data
A former Med-Data employee uploads PHI of multiple healthcare organizations into multiple GitHub repositories.
GitHub
Multiple PHI records
US
M Professional scientific and technical activities
08/04/2021
-
Edraak
Edraak, an online education nonprofit, exposed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently by mistake.
N/A
Private information of thousands of student
JO
Q Human health and social work activities
11/04/2021
-
Upstox
Indian stock trading firm Upstox reveals to users that it has suffered a serious security breach that may have seen unauthorised criminal access to millions of customers’ personal information.
AWS S3
Sensitive information of approximately 2.5 million
IN
K Financial and insurance activities
13/04/2021
23/02/2021
LogicGate
Risk and compliance startup LogicGate confirms a data breach after an unauthorized third party obtains credentials to its Amazon Web Services-hosted cloud storage.
AWS S3
Customer Backups
US
M Professional scientific and technical activities
14/04/2021
During January 2021
Mercato
A security lapse at online grocery delivery startup Mercato exposed tens of thousands of customer orders,
AWS S3
Tens of thousands of customer orders
US
I Accommodation and food service activities
14/04/2021
Late December 2020
Bizongo
Bizongo, an online packaging marketplace suffers a data leak in which the company left highly sensitive customer information unsecured.
AWS S3
2,532,610 files were exposed, equating to 643GB of data
IN
N Administrative and support service activities
20/04/2021
16/03/2021
Eversource
Eversource, the largest energy supplier in New England, suffers a data breach after customers' personal information is exposed on an unsecured cloud server.
N/A
Personal information of 11,000 Eversource customers
US
D Electricity gas steam and air conditioning supply
27/04/2021
07/01/2021
Microsoft?
A misconfigured Microsoft Azure blob exposes the sensitive internal data that appear to originate from a series of pitches made to Microsoft Dynamics from numerous companies.
Microsoft Azure
3,800 files
US
M Professional scientific and technical activities
28/04/2021
10/03/2021
Wyoming's Department of Health (WDH)
Wyoming's Department of Health (WDH) announced the accidental exposure of personal health information belonging to more than a quarter of the state's population on GitHub.com.
GitHub
164,021 Wyoming residents
US
Q Human health and social work activities
29/04/2021
04/02/2021
Paleohacks
Paleohacks, a popular online resource for paleo recipes and tips was the source of a data leak impacting roughly 70,000 users.
AWS S3
290 Mb of data belonging to 70,000 users
US
R Arts entertainment and recreation
14/05/2021
Late February 2021
Apperta Foundation
Apperta Foundation exposes a public GitHub repo containing the source code for an insecure online portal and its database containing usernames, hashed passwords, email addresses, and API keys.
GitHub
Usernames, hashed passwords, email addresses, and API keys.
UK
Q Human health and social work activities
19/05/2021
29/12/2020
TeamBMS
Tens of thousands of jobseekers have their personal information exposed by a misconfigured AWS bucket.
AWS S3
5 GB of data with 21,000 files
UK
N Administrative and support service activities
28/05/2021
11/01/2021
20/20 Eye Care Network and 20/20 Hearing Care Network
20/20 Eye Care Network and 20/20 Hearing Care Network notify 3,253,822 health plan members of breach that deleted contents of AWS buckets.
AWS S3
name, address, SSN, identification number, DOB, and health insurance information of 3,253,822 health plan members
US
Q Human health and social work activities
17/06/2021
12/06/2021
Volkswagen Group of America
Volkswagen Group of America customer data is being sold on a hacking forum after allegedly being stolen from an exposed Azure BLOB container.
Microsoft Azure
3.3 million customers
US
C Manufacturing
17/06/2021
-
Cosmolog Kozmetik
Cosmolog Kozmetik exposes a 20GB trove containing around 9500 files, with personal information of 567,000 unique users who bought items from the provider across multiple e-commerce platforms.
AWS S3
20GB with 9500 containing personal information of 567,000 unique users
TR
G Wholesale and retail trade
24/06/2021
24/06/2021
New York state government
A code repository used by the New York state government’s IT department was left exposed on the internet
GitLab
Multiple projects, including secret keys and passwords
US
O Public administration and defence, compulsory social security
24/06/2021
11/06/2021
Mercedes-Benz USA
Mercedes-Benz USA discloses a data breach impacting some of its customers.
N/A
1.6 million customer records
US
C Manufacturing
16/07/2021
25/05/2021
Artwork Archive
Misconfigurations in an Amazon S3 bucket belonging to Artwork Archive exposes over 200 000 files.
AWS S3
200,000 files in 421GB of data related to over 7000 artists,
US
R Arts entertainment and recreation
16/07/2021
Early June 2021
BackNine
A misconfiguration at insurance technology startup BackNine exposes hundreds of thousands of insurance applications.
AWS S3
711,000 files
US
M Professional scientific and technical activities
18/07/2021
14/05/2021
Lake County Health Department
An unencrypted Google spreadsheet used by volunteers and staff is exposed, compromising the information of seniors seeking information on the COVID-19 vaccine.
Google Drive
705 people
US
Q Human health and social work activities
20/07/2021
-
PeopleGIS
More than 1,000 GB of data and over 1.6 million files from dozens of municipalities in the US are left exposed, after PeopleGIS leaves over 80 AWS S3 buckets miscconfigured.
AWS S3
Over 80 misconfigured AWS S3 buckets totalling over 1000 GB of data and over 1.6M files
US
M Professional scientific and technical activities
27/07/2021
10/03/2021
Raven Hengelsport
Dutch fishing supply specialist Raven Hengelsport left details of around 246,000 customers visible to anyone on a misconfigured Microsoft Azure cloud server for months.
Microsoft Azure
18GB of data containing details of 246,000 customers
NL
G Wholesale and retail trade
29/07/2021
-
Reindeer
A misconfigured Amazon S3 bucket belonging to Reindeer, a defunct marketing company, exposes over 50,000 files and totalling 32GB of data.
AWS S3
1,400 profile photos and the details of approximately 306,000 customers
US
M Professional scientific and technical activities
29/07/2021
26/06/2021
Unidentified company
35 million US residents’ personal details are exposed via a misconfigured Elasticsearch database hosted on AWS.
AWS S3
35 million US residents’ personal details exposed
US
Z Unknown
05/08/2021
10/04/2021
OneMoreLead
US-based B2B sales and marketing firm OneMoreLead leaks the private data of around 126 million American citizens in 34GB of data.
AWS S3
34 GB of data with 126 million records
US
M Professional scientific and technical activities
05/08/2021
-
New York City Public Schools
Personal information, including academic records and biographical data, of about 3,000 New York City public school students and 100 education department staff members is inadvertently shared.
Google Drive
3,000 New York City public school students and 100 education department staff members
US
P Education
09/08/2021
-
SeniorAdvisor
SeniorAdvisor, one of the leading consumer ratings and reviews websites for senior care/services in the USA and Canada, leaks a misconfigured AWS S3 bucket leaks more than 1,000,000 files and 182GB of data.
AWS S3
182 GB of data with 3 million records
US
S Other Service Activities
10/08/2021
-
Multiple companies
Researchers discover publicly accessible Salesforce Communities that are misconfigured and potentially expose sensitive information about companies, their operations, clients, and partners.
Salesforce
Sensitive information about companies, their operations, clients, and partners.
>1
Y Multiple Industries
12/08/2021
-
Brooklyn Technical High School
Teachers’ social security numbers, student academic records, and families’ home addresses are among the dozens of pieces of information shared on Google Drive by the Brooklyn Technical High School.
Google Drive
Teachers’ social security numbers, student academic records, and families’ home addresses
US
P Education
23/08/2021
24/05/2021
47 entities
Sensitive data including COVID-19 vaccination statuses, social security numbers and email addresses have been exposed due to weak default configurations for Microsoft Power Apps.
Microsoft Power Apps
38 million data records
>1
Y Multiple Industries
26/08/2021
-
Multiple companies
Microsoft warn thousands of its cloud computing customers, including some of the world's largest companies, that intruders could have the ability to read, change or even delete their main databases.
Microsoft Azure
-
>1
Y Multiple Industries
30/08/2021
15/07/2021
electronic Health Alert Card (eHAC)
Passport info and healthcare data leaked from Indonesia's COVID-19 test-and-trace app for travelers
Google Cloud Platform
About 1.3 million people personal data, including COVID-19 test results and more
ID
Q Human health and social work activities
20/09/2021
-
EventBuilder
A misconfiguration causes thousands of personal records to leak of people who registered for events on Microsoft Teams via the EventBuilder event management application.
Microsoft Azure
Thousands of personal records
>1
S Other Service Activities
23/09/2021
-
Coninsa Ramon
Over a hundred thousand people’s personal information is exposed in the breach of Coninsa Ramon, a Colombian real estate company.
AWS S3
1.12TB of data, containing over 5.5 million documents
CO
L Real Estate Acitivities
08/10/2021
20/10/2020
Plug and Play Ventures
Plug and Play Ventures exposes a PostgreSQL database witth 6GB of data.
AWS S3
A PostgreSQL database witth 6GB of data
US
N Administrative and support service activities
11/10/2021
13/10/2020
Thingiverse
Thingiverse, a website dedicated to sharing user-created digital design files, reportedly leaks a 36GB backup file that contains 228,000 unique email addresses and other personally identifiable information.
AWS S3
A 36GB backup file with 228,000 unique email addresses and other PII
US
N Administrative and support service activities
03/11/2021
04/09/2021
Phlebotomy Training Specialists
Phlebotomy Training Specialists, a US medical training school, exposes the personally identifiable information (PII) of thousands of students.
AWS S3
157GB of data, with nearly 200,000 files belonging to 27,000 – 50,000 individuals
US
P Education
22/11/2021
02/09/2021
Wspot
Wspot, a Brazilian Wi-Fi management software firm, exposes 226,000 files, including personal information from approximately 2.5 million individuals
AWS S3
226,000 files, including personal information from approximately 2.5 million individuals
BR
M Professional scientific and technical activities
06/12/2021
-
LINE Pay
Smartphone payment provider LINE Pay announces that around 133,000 users' payment details were mistakenly published on GitHub between September and November of this year.
GitHub
Around 133,000 users' payment details
JP
K Financial and insurance activities
16/12/2021
26/10/2021
Sennheiser
The German audio equipment manufacturer, Sennheiser leaves an unsecured Amazon Web Services (AWS) server online with around 55GB of information on over 28,000 Sennheiser customers.
AWS S3
55GB of information on over 28,000 Sennheiser customers
DE
C Manufacturing
16/12/2021
12/11/2021
D.W. Morgan
D.W. Morgan, a supply chain management and logistics company, exposes an AWS S3 bucket with 100 GB worth of data cotaining 2.5 million files detailing financial, shipment, transportation, personal and sensitive records.
AWS S3
100 GB worth of data cotaining 2.5 million files
US
N Administrative and support service activities
20/12/2021
29/09/2021
Ghana’s National Service Secretariate
The Ghana’s National Service Secretariate exposes an AWS S3 bucket with 55GB of data of 700,000 citizens from across the country.
AWS S3
55GB of data with 3.8 million files of 700,000 citizens
GH
O Public administration and defence, compulsory social security
30/12/2021
-
SEGA Europe
SEGA Europe inadvertently leaves users’ personal information publicly accessible on Amazon Web Services (AWS) S3 bucket