close
close

Google Cloud Storage Bucket Leak Linked to Shark Tank Contestant

Posted on by Vaseline
Google Cloud Storage Bucket Leak Linked to Shark Tank Contestant

Google Cloud Storage Bucket Leak Linked to Shark Tank Contestant

A misconfigured Google Cloud Storage bucket associated with Alice’s Table, a popular virtual flower arranging platform, exposed the personal data of more than 83,000 customers.

The breach involved tens of thousands of files containing sensitive information, such as names, email addresses, home addresses and order details of the platform’s users.

In a blog post about the breach, Cyble researchers reported that such exposures are surprisingly common. Cyble’s Odin vulnerability search tool found more than 500,000 exposed cloud storage buckets between Google Cloud Storage and AWS.

Exposed cloud storage bucket linked to Alice’s Table

Cybernews researchers first identified the exposed Google Cloud bucket in April during a routine investigation. The bucket contained 37,349 files, including 10,183 XLSX and CSV files containing personally identifiable information (PII). While the majority of the exposed email addresses were personal, a significant portion were tied to corporate accounts, including those of large companies such as BCG, Pfizer, PwC, Charles Schwab, and government employees, the researchers said.

The leak raises security concerns regarding business email addresses that can be used for phishing attacks, spam, identity theft, and unauthorized access to confidential information. Additionally, the exposure of home addresses puts victims at risk of physical intrusion.

Founded in 2015 by Boston entrepreneur Alice Lewis, Alice’s Table is a subsidiary of 1-800-Flowers. The company gained widespread attention after securing a $250,000 investment in ABC’s Shark Tank in 2017. In addition to floral arrangements, the platform offers live-streaming experiences for culinary and cocktail workshops.

Misconfigured Cloud Storage Buckets: A Common Security Risk

Improperly configured cloud storage buckets are cloud storage containers that have been set up with insufficient security measures, allowing unauthorized access to the contents. This can lead to data breaches, unauthorized data theft, and other serious security vulnerabilities.

Common issues with misconfigurations include:

  • Publicly accessible buckets: Anyone who knows the URL can access these buckets, even without authentication.
  • Incorrect permissions: If permissions are set too broadly, unauthorized users may be able to access or modify data.
  • Missing encryption: Data stored in unencrypted buckets can be easily intercepted and read if sent over an insecure network.
  • Weak access controls: If access controls are weak, unauthorized users may be able to gain access to the bucket by guessing credentials or exploiting vulnerabilities.

Why are misconfigured cloud storage buckets a security nightmare?

Cloud storage buckets may contain sensitive and personally identifiable information (PII), which can lead to a number of security risks.

  • Wide prevalence: Research has shown that a significant number of cloud storage buckets are misconfigured. For example, one study found that millions of buckets were publicly accessible, containing more than 10 billion data files containing sensitive information such as financial information, medical records, and intellectual property.
  • Data leaks: Misconfigured buckets have been responsible for numerous high-profile data breaches, exposing large amounts of sensitive information. An example: a data leak at BMW.
  • Financial losses: Data breaches caused by misconfigured buckets can result in significant financial losses for organizations, due to fines, legal fees, and reputational damage.

How to prevent misconfigured cloud storage buckets?

The Cyble blog listed specific steps for securing Google Cloud Storage buckets, along with some security tools that can help secure cloud storage buckets. Here are some general controls that cloud customers should use:

  • Implement strong access controls: Use granular access controls to restrict bucket access to authorized users.
  • Enable encryption: Encrypt data at rest and in transit to protect it from unauthorized access.
  • Check and update security settings regularly: Check and update your security settings regularly to ensure they are still appropriate.
  • Use cloud security tools: Consider leveraging cloud security tools and AI-driven threat intelligence platforms like Cyble’s CTI and Odin to identify and address misconfigurations.

By following these best practices, organizations can reduce the risk of misconfigured cloud storage buckets and protect their sensitive data.

Neither Alice’s Table nor 1-800-Flowers had responded to Cybernews’ request for comment by the time of publication.

Related

Related Posts