Fortune 500 companies’ ‘Keys to the Kingdom’ hung out for the public

Accenture, a cloud giant that provides technology service for 75% of Fortune 500 companies, left four servers exposed on Amazon’s s3 storage service.

The servers contained passwords and decryption keys that could have been used to inflict an enormous amount of damage to Accenture and its customers. Luckily the vulnerability was found by Chris Vickery, director of cyber risk research at security firm UpGuard. Within 24 hours of being notified, Accenture secured the servers.

This data was so unsecure, anyone without a password could have downloaded the information so long as they knew the web address and where to look. A hacker could have made off with a variety of company credentials, from signing keys that could have been leveraged in a spear-phishing attack or used to disguise malicious activity, to essential passwords and master keys.

These so called “keys to the kingdom” were present for multiple companies and included Amazon Web Service’s Key Management System which, if stolen, could have been used to have full access to Accenture’s encrypted data stored on Amazon’s servers.

Furthermore, there were links between the Amazon cloud service data and Accenture’s Google Cloud Platform and Microsoft’s Azure. Utilizing any of these would have given a hacker untold access to all of Accenture’s client and internalized data – especially since the vast majority of this information was stored in plaintext.

According to Vickery, there was over 137 gigabytes of potentially compromised data on just one server alone, with one exposed backup database containing almost 40,000 passwords. Vickery went on to host a question and answer, after Accenture had assured news outlets and himself that the problem had been addressed.

Thankfully, initial investigations into the exposed server revealed online one outside IP address that had accessed the data, and that belonged to a security consultant company – namely UpGuard’s Vickery.

While the problem appears to have subsided and a crisis averted, it’s always good to keep in mind that cloud-based servers and online databases still require basic security protections so not just anyone can walk in off the virtual street.