S3 bucket mess up exposed 182GB of senior US, Canada citizens data

The misconfigured S3 bucket was owned by SeniorAdvisor, a consumer ratings and reviews website.

WizCase’s cybersecurity researchers discovered a misconfigured Amazon S3 bucket owned by SeniorAdvisor, one of the leading consumer ratings and reviews websites for senior care/services in the USA and Canada.

The company aids senior citizens in finding care options in their localities. The service was launched by for-profit senior care referral services known as A Place for Mom back in 2013.

S3 bucket mess up exposed 182GB of senior US, Canada citizens data

SeniorAdvisor’s homepage

The research team led by Ata Hakcil identified that the misconfigured bucket had made millions of people vulnerable to various threats and frauds. The database was left out in the open without any password protection, and it didn’t even require login credentials to access the information.

SEE: Defunct marketing firm exposed 32GB worth of records, customers data

Resultantly, WizCase researchers revealed that personally identifiable information (PII) of more than three million US senior citizens was contained in the unprotected database without any encryption.

Nearly 180 GB of Data Exposed

According to WizCase researchers, the misconfigured Amazon S3 bucket contained more than 1,000,000 files and 182GB of data. The bucket was secured after WizCase notified SeniorAdvisor. The bucket contained valuable PII, including the names and contact details of millions of older adults.

S3 bucket mess up exposed 182GB of senior US, Canada citizens data

Redacted screenshot of closed leads (Image: Wizcase)

Data Saved in the Form of Leads

Researchers identified that most of the exposed data were saved as leads and included customers’ contact details to target them in email or phone campaigns. Moreover, it also contained the dates when a particular user was contacted.

SEE: Misconfigured AWS bucket exposed 421GB of Artwork Archive data

As per WizCase’s analysis, the dates ranged from 2002 to 2013, and the files had timestamps dated 2017. Apart from PII, the database had around 2,000 reviews. While user details were scrubbed off, the reviews had a lead ID that could be used to detect users’ details easily.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.


Source: HackRead

Leave a Reply