Setting permissions on s3 buckets is absurdly complicated.<p>Though it's no excuse, it's not surprising people leave it open, it's too hard to figure out how to lock it down.<p>Amazon needs to share some of the blame here and create a sane UI.
Well if Google Reviews are anything to go by, McDonalds is more pleasant than working at/with TigerSwan.<p>Also, it's amusing that they're blaming this mysterious third-party "TalentPen" whose search results are so scant that they have this very article as one of the top hits. Wouldn't TigerSwan be equally liable for vetting their vendors?
AWS S3 storage, as mentioned previously in this thread, are a real treasure trove of leaks and breaches. I have been scanning them as part of a project and regularly have to reach out to businesses to tell them they're leaking information publicly.<p>You name it, I've probably come across it - lots are for hosting static content of websites which is pretty common, but there are also website and database backups, user uploaded content (from a sensitive 'dating' website), development and staging environments with sensitive internal information, a sea of CVs etc.<p>The hardest part is trying to responsibly disclose this stuff to the businesses - trying to find a security contact is often impossible, leaving it up to info@ or support@ emails.<p>And obviously AWS aren't the only cloud storage provider out there... there is more to be found with the other providers.
S3 is awesome. You can find all sorts of interesting stuff by adding site:s3.amazonaws.com to a google search. You'd seriously be amazed (or not) at the stuff people leave in open S3 buckets.
Time Warner Cable also had the same data breach. I wonder by passwordless did they mean someone was able to do a ls command on the bucket and was able to download as a public/anon user (direct s3 link)? If this was done I bet you someone probably didn't have time to implement secure link, just decided to make the bucket open.
URI or GTFO. What use is "reporting" on the snake oil industry's own FUDmongering press releases? "Permissions are hard, let's go shopping!"<p>Let's see some independent analyses of this dataset. Start turning on the right lights and the roaches will scatter.