Four Million Time Warner Cable Records Left on Misconfigured AWS S3

600 gigabytes of information, including SQL database dumps, code, access logs, and customer information, belonging to BroadSoft and its client, TWC, was left online, accessible to anyone.

In what’s almost felt like an epidemic over the last few weeks, yet another slew of sensitive information—600 gigabytes of files—was recently left exposed on two cloud repositories, accessible to anyone.

The repositories, owned by BroadSoft, a global communication software and service provider, contained information – SQL database dumps, code, access logs, customer billing addresses, and phone numbers – belonging to clients, namely cable company Time Warner Cable (TWC). Researchers who found the information say records belonging to more than four million TWC customers, dating back to 2010, were found in one file.

The information was left on two misconfigured Amazon Web Services S3 buckets. The buckets, while usually protected by default, had been configured to allow public access, perhaps researchers suggest, for use as a backup testing ground.

According to Kromtech Security Center, which found the buckets, an authenticated user could have downloaded the data directly from the URL.

Bob Diachenko, the company’s chief communications officer, announced Kromtech’s findings on Friday, prior to the holiday weekend. Researchers with the firm, parent company of MacKeeper, found the database in July, shortly after researchers there had stumbled upon another unsecured S3 domain belonging to World Wrestling Entertainment.

“After the discovery researchers began testing other variations of the ‘-test’ suffix and came across 2 of the connected repositories (one using the underscore sign ‘_’ – not recommended by Amazon),” Diachenko wrote, “Searching for the test repositories is how it was discovered and we can only assume there are many more cloud-based data leaks actively available that started out as a testing ground, but were never secured.”

One text file, “User Profile Dump, 07-07-2017,” contained more than four million TWC customer records, most which stem from the company’s MyTWC app, an app that lets customers pay bills, upgrade services, and access voicemail, channel listings, and WiFi settings. Information from TWC customers between November 26, 2010 to July 7, 2017, was leaked in the file, including user names, Mac addresses, serial numbers, account numbers, service, category details, and transaction ID.

Researchers with Kromtech said they contacted engineers in BroadSoft’s Bangalore, India office after finding their email communications in the repository. The company insisted the repository didn’t belong to them and it was promptly closed after the notification, Diachenko said. The second bucket was secured after Kromtech notified officials with Charter Communications, which acquired TWC and Bright House Networks for nearly $72 billion last year.

A BroadSoft spokesperson told Threatpost Tuesday that the company rectified the issue as soon as it became aware of it and stressed that exposed data did not include customers’ bank, credit card, or social security number information.

“BroadSoft was notified that a third-party cloud storage site containing internal BroadSoft documentation and end-user customer data was exposed to the public internet. The end-user customer data exposed did not include bank or credit card information or social security numbers. As soon as we recognized the exposure, we immediately began to re-secure the information. BroadSoft core IT and cloud unified communication infrastructures were not exposed or compromised in this incident. We continue to work closely with our customer to ensure the privacy of their data and to assure them that their information and that of their end-users is secure. Our customers’ data privacy and security is of paramount importance to us, and we are committed to maintaining the highest standards to ensure their protection and security.”

A spokesperson from Time Warner Cable said the company was still investigating the incident when reached Tuesday and that the information was taken down upon discovery. As a general security measure TWC says it’s encouraging users who used the company’s MyTWC app to change their usernames and passwords.

“A vendor notified us that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources. Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them. There is no indication that any Charter systems were impacted. As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords. Protecting customer privacy is of the utmost importance to us. We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.”

Week after week, news of poorly secured Amazon S3 buckets continue to make headlines. In August researchers with Kromtech discovered a bucket belonging to Groupize, a Massachusetts company that helps manage group meetings and hotel reservations.

Credit card authorization forms, including payment card information, expiration data and CVV code data were among some of the information in the publicly accessible bucket.

Researchers with UpGuard, another firm that’s banged the drum on misconfigured buckets, unearthed the entire Chicago voter roll in a bucket in early August. It also spotted data belonging to Verizon customers, via a third party’s AWS repository, in July.

Over the weekend the firm was able to disclose that a private military contractor, TigerSwan, left a S3 bucket containing prospective employees’ resumes and job applications publicly accessible earlier this summer. The contractor blamed a third-party recruiting vendor, TalentPen, and said it wasn’t aware of the leak until August 31.

Suggested articles