By: Ravie Lakshmanan
More than one terabyte of data containing 5.5 million files has been left exposed, leaking personal information of over 100,000 customers of a Colombian real estate firm, according to cybersecurity company WizCase.
The breach was discovered by Ata Hakçıl and his team in a database owned by Coninsa Ramon H, a company that specializes in architecture, engineering, construction, and real estate services. “There was no need for a password or login credentials to see this information, and the data was not encrypted,” the researchers said in an exclusive report shared with The Hacker News.
The data exposure is the result of a misconfigured Amazon Web Services (AWS) Simple Storage Service (S3) bucket, causing sensitive information such as clients’ names, photos, and addresses to be disclosed. The details stored in the bucket range from invoices and income documents to quotes and account statements dating between 2014 and 2021. The complete list of information contained in the documents is as follows –
Amounts paid for estates, and
In addition, the bucket is also said to contain a database backup that includes additional information such as profile pictures, usernames, and hashed passwords. Troublingly, the researchers said they also found malicious, backdoor code in the bucket that could be exploited to gain persistent access to the website and redirect unsuspecting visitors to fraudulent pages.
It’s not immediately clear if these files were put to use by bad actors in any campaign. Coninsa Ramon H did not respond to inquiries from The Hacker News sent via email regarding the vulnerability.
“Based on viewing a sample of the documents, […] the misconfiguration revealed $140 to $200 billion in transactions, or an annual transaction history of at least $46 billion,” the researchers said. “For perspective, that’s roughly 14% of Colombia’s total economy.”
The highly confidential nature of the data contained within the database makes it highly susceptible to exploitation by cybercriminals to mount phishing attacks and conduct a variety of fraud or scam activities, including tricking users into making additional payments and worse, reveal more personally identifiable information by tampering with the website’s backend infrastructure.