News broke last week that sensitive data was exposed yet again. I hope you haven’t forgotten our running analogy, “we are living in the cybersecurity version of the movie Groundhog Day.”  It seems like every day we are reliving the same problem, the same leak over and over again. If you are reading this thinking “yes, you’ve used that analogy way too many times,” then I hope you understand that’s kind of the point.

Nevertheless, it’s time to add another company to the list of S3 bucket leaks that have exposed sensitive, personal information for hundreds of millions of people from around the world.

So what happened this time?

SpyFone, whose website hero header reads “Monitor Your Children with World’s #1 Parental Monitoring Software – Trusted by Parents Worldwide” left the data of thousands of its customers—and the information of the children they were monitoring—exposed in an unprotected Amazon S3 bucket.

According to Motherboard:

The data exposed included selfies, text messages, audio recordings, contacts, location, hashed passwords and logins, Facebook messages, and more.

 

A security researcher found the data on an Amazon S3 bucket owned by SpyFone, and Motherboard was able to verify that the researcher had access to SpyFone’s monitored devices’ data by creating a trial account, installing the spyware on a phone, and taking some pictures. Hours later, the researcher sent back one of those pictures.

 

The researcher said that the exposed data contained several terabytes of “unencrypted camera photos.

SpyFone’s tagline in the features section of their website reads: “Get peace of mind while monitoring your children’s activity online.”  If not for the security researcher finding the exposed data first, it may not have been only the parents who were monitoring their children’s selfies, text messages, calls, location, etc. The risk of companies exposing personal data is very high, and at times, even dangerous.

What could SpyFone have done differently?

For starters, SpyFone could have done nothing. Amazon S3 buckets are private by default and can only be accessed by users that have been explicitly given access. Again, by default, the account owner and the resource creator are the only ones who have access to an S3 bucket and key.

SpyFone could have also installed DivvyCloud.

In about 15 minutes, you can install DivvyCloud, connect your cloud (AWS, Azure, and GCP) accounts, quickly see S3 buckets that are misconfigured, and then turn on real-time continuous automated remediation of misconfigured buckets.

Make S3 bucket leaks a thing of the past (now and forever). Install DivvyCloud today with a  free 30-day trial and make sure your company never makes the news for an S3 bucket leak.


DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.