Over the last few years there have been multiple examples of leaky cloud services, exposing million of user records (with easily predictable consequences for the privacy of the unaware victims), or even fueling other attacks such in case of the two Magecart campaigns carried out compromising the AWSS3 buckets hosting the targeted sites’ configuration files.
And despite AWS S3 is the most common service to leak data, it’s not the only one, as you will notice. Last but not least, I will keep this list updated as soon as new cloud breaches will be revealed during 2021.
As always, thanks for sharing and supporting my work for spreading the risk awareness across the community. Also, don’t forget to follow @paulsparrows on Twitter, or even connect on Linkedin.
Date Reported
Date Disovered
Company
Description
Cloud Service
Data Exposed
Country
Link
Sector
04/01/2021
4/1/2021
Nissan North America
The source code of mobile apps and internal tools developed and used by Nissan North America leakes online after the company misconfigured one of its Git servers.
BitBucket
Source code of mobile apps and internal tools
US
C Manufacturing
14/01/2021
18/8/2020
Juspay
The data of 35 million users from Juspay goes on sales in the dark web
AWS S3
35 million users
IN
K Financial and insurance activities
15/01/2021
12/9/2020
CHS Consulting
Thousands of UK business professionals have had their personal details exposed online via a leaky Amazon Web Services bucket.
AWS S3
1000s of personal documents including passports.
UK
M Professional scientific and technical activities
19/01/2021
13/10/2020
Fleek
A cloud misconfiguration at a now-defunct social media app has exposed hundreds of thousands of files, including explicit photos of users that they thought had been deleted.
AWS S3
32 Gb (377,000 files)
US
R Arts entertainment and recreation
19/01/2021
During December 2020
Nohow International
An unsecured Microsoft Azure Blob leaks deeply sensitive documents of more than 12,000 construction workers, including scans of passports, national IDs, birth certificates, and tax returns.
Microsoft Azure
Sensitive documents of more than 12,000 construction workers
UK
N Administrative and support service activities
20/01/2021
-
Pixlr
ShinyHunters shares a database that he claims was stolen from Pixlr while he breached the 123rf stock photo site. Pixlr and 123rf are both owned by the same company, Inmagine.
AWS S3
1.9 million user records
US
R Arts entertainment and recreation
24/01/2021
-
MeetMindful
The hacking group ShinyHunters leaks personal information of over 2 million MeetMindful users.
AWS S3
2.8 million user records
US
R Arts entertainment and recreation
29/01/2021
1/12/2020
Imobiliare
The largest real estate portal in Romania, Imobiliare, suffers a data breach after a bucket was found to be exposed, without password protection or encryption.
AWS S3
201,087 files belonging to 200,000 people
RO
N Administrative and support service activities
01/02/2021
20/11/2020
Confédération Européenne de Volleyball (CEV), or European Volleyball Confederation.
A publicly exposed cloud storage bucket was found to contain images of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world.
Microsoft Azure
Images of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world.
EU
R Arts entertainment and recreation
17/02/2021
16/2/2021
Amber Group
A security lapse by a Jamaican government contractor exposes immigration records and COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year.
AWS S3
70,000 negative COVID-19 lab results, over 425,000 immigration documents, and over 250,000 quarantine orders dating back to June 2020
JM
Q Human health and social work activities
25/02/2021
30/9/2020
Inova
A data leak containing private information about Turkish Citizens through a misconfigured Amazon S3 bucket leaks 55,000 court papers regarding over 15,000 legal cases, which affected hundreds of thousands of people.
AWS S3
55,000 court papers regarding over 15,000 legal cases
TR
M Professional scientific and technical activities
01/03/2021
21/1/2021
Ticketcounter
Ticketcounter suffers a data breach after a user database containing 1.9 million unique email addresses is stolen from an unsecured staging server.
Microsoft Azure
1.9 million user records
NL
R Arts entertainment and recreation
02/03/2021
12/2/2021
Mariana Tek
Mariana Tek, a US-based software company. The unsecured bucket contained more than 1.5 million user records, including usernames, full names, street and email addresses, phone numbers, postal codes, account balances, and more.
AWS S3
1.5 million user records
US
M Professional scientific and technical activities
03/03/2021
24/12/2020
CallX
US telemarketing company leaks the personal details of potentially tens of thousands of consumers after misconfiguring a cloud storage bucket.
AWS S3
485GB containing more than 114.000 files belonging to 10,000-100,000 people
US
N Administrative and support service activities
10/03/2021
22/02/2021
Premier Diagnostics
Utah-based COVID-19 testing service Premier Diagnostics exposes thousands of ID scans.
AWS S3
207,524 images of roughly 52,000 patients’ photo ID scans
US
Q Human health and social work activities
10/03/2021
14/12/2020
Mobile Anesthesiologists
Mobile Anesthesiologists exposes the ePHI of 65,403 patients.
Microsoft Azure
Data of 65,403 patients
US
Q Human health and social work activities
15/03/2021
24/12/2020
Aljex Software
103 GB worth of data belonging to Aljex Software is left exposed on a misconfigured AWS S3 Bucket.
AWS S3
4,361 files (103 GB)
US
M Professional scientific and technical activities
22/03/2021
During 2020
Hobby Lobby
Hobby Lobby exposes a large amount of data online, including customer names, phone numbers, physical and email addresses, and the last four digits of their payment card.
AWS S3
300,000 users' data (138 GB)
US
R Arts entertainment and recreation
23/03/2021
During December 2020
Avianis
Private aviation services provider Solairus Aviation announces that some employee and customer data was compromised in a security incident at third-party vendor Avianis.
Microsoft Azure
Customer Data
US
M Professional scientific and technical activities
30/03/2021
During February 2021
MobiKwik
Private information of nearly 100 million users of the Indian mobile payments startup is leaked in the dark web
AWS S3
100M users (8.2 TB)
IN
K Financial and insurance activities
01/04/2021
01/03/2021
New York Foundling
The New York Foundling leaks more than 2,000 CSV and TXT files from an unsecured Microsoft Azure Blob publicly accessible.
Microsoft Azure
2,000 CSV and TXT files, each with hundreds or thousands of entries related to patients’ medical records
US
Q Human health and social work activities
01/04/2021
Since at least December 2020
Med-Data
A former Med-Data employee uploads PHI of multiple healthcare organizations into multiple GitHub repositories.
GitHub
Multiple PHI records
US
M Professional scientific and technical activities
