CouchSurfing is an online service that lets users find free lodgings around the world. Currently the company is investigating a breach after hackers were found to be selling user data on several popular hacking forums. It was found they had stolen and were selling the data of over 17 million users. The data is currently being sold for $700, and contains user IDs, names, emails addresses, and account settings and it is believed to be from a misconfiguration of an AWS S3 bucket.
After investigation it appears that the data was not even password protected. In fact the data originated from a misplaced backup file, as most companies regularly back up their databases and don’t include passwords in their backups. Also since most backups are stored on the cloud, it can easily be exposed with misconfigured storage mediums, like S3 buckets, as seems to be the case in this situation.
S3 misconfiguration is a common way attackers are accessing private data. While cloud is powerful and complex, S3 buckets are actually rather simple and come with their own methods of encryption. One of the biggest problems that companies face is employee education. Education on how to properly secure a cloud environment is crucial to protecting the data you house.
S3 buckets should always be configured and if not, alerts should be in place to notify a team immediately. In addition to training, it is also necessary for each team to be very clear on what aspects they are responsible for, this would most likely fall under planning and procedures set at a VP level. Sharing the responsibility across the organization helps to keep a neat space when working in the cloud.
Luckily for its users the CouchSurfing data is low profile and will most likely be used for spam lists and malware distribution operations. However, the data is still out there and no breach is acceptable even a low risk one. It is important to understand how to use tools like S3 buckets in conjunction with native cloud services to help secure an environment.
Read more about this cloud security data breach at ZDNet.