More than 4 million records containing personal details of users of Time Warner Cable's MyTWC app were found unsecured on an Amazon server last month. Cybersecurity firm Kromtech Security Center discovered about 600GB of data from a range of companies associated with communications software company BroadSoft were left exposed in two AWS S3 buckets.
The S3 buckets were accidentally configured to allow public access, potentially allowing anyone with the URL to access and download the sensitive data.
Researchers said they discovered the data repositories during their investigation into the unrelated World Wrestling Entertainment (WWE) data leak. Kromtech said the exposed S3 buckets contained a "massive amount of sensitive information and researchers estimate it would take weeks to fully sort through all of the data."
One text file that dated back to November 2010 contained more than 4 million records which detailed subscribers' usernames, email addresses, Mac addresses, device serial numbers and financial transaction data.
Other databases included the billing addresses, phone numbers and other contact information for hundreds of thousands of Time Warner Cable (TWC) subscribers.
The exposed repository also contained a trove of internal company records including SQL database dumps, internal emails, codes with access credentials, access logs and more.
"We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes," Bob Diachenko, Kromtech's chief communications officer said.
"The bottom line is that data is valuable and there will always be someone looking for it. Improperly securing data is just as bad if not worse because it was preventable.
"In this case, engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access the company's network and infrastructure."
BroadSoft has more than 600 service providers in 80 countries and supports millions of subscribers across the globe, according to its website. Some of their partners include telecom giants AT&T, Sprint and Vodafone, among others.
Charter Communications – which acquired Time Warner Cable in 2016 and renamed it as Spectrum – said the exposed information was immediately removed after the discovery and the incident is currently being investigated along with BroadSoft.
"We were notified by a vendor that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources," Charter Communications said in a statement to Gizmodo.
The company said that there is currently no indication that Charter's systems were impacted, but advised its customers who do use the MyTWC app to change their login credentials. It did not mention how many subscribers were impacted in the exposure.
"Protecting customer privacy is of the utmost importance to us," the firm said. "We apologise for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident."
A spokesperson for BroadSoft also confirmed the exposure, but said the company does not believe that the exposed data was "highly sensitive" or accessed by any threat actors.
"We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed," BroadSoft added.
The latest incident comes as cloud-related data leaks, which see hundreds of thousands of users' personal and sensitive data publicly exposed online, become increasingly frequent.
Experts have voiced serious concerns about digital and cloud security following a slew of cloud-based gaffes often caused due to configuration errors.
"As leaks caused by unsecured or misconfigured public cloud resources continue to occur, it's worthwhile to explore the reasons why," Varun Badhwar, CEO and co-founder of cloud infrastructure security firm RedLock, told IBTimes UK.
"Just as most organisations have adopted advanced threat defence solutions for their on-premise networks, they should also consider implementing solutions that provide advanced threat defence for the cloud. But the reality is this is not happening for the majority of organisations."