Amazon RDS reportedly leaking personal information of users

Share post:

Thousands of databases hosted on Amazon Web Services Relational Database Service (RDS) have been discovered to be leaking personally identifiable information, potentially providing a gold mine for threat actors.

The exposure is provided by Amazon RDS’s snapshot feature, which is used to back up the hosted databases. Users can use this feature to share public data or a template database with an application, as well as create a Public RDS snapshot for sharing without having to deal with roles and policies.

Names, email addresses, phone numbers, dates of birth, passwords, credit card details, tokens, marital status, car rental information, and even company logins were leaked, all of which can be used by hackers.

Mitiga, an Israeli company that conducted the research from September 21, 2022, to October 20, 2022, said it discovered 810 snapshots that were publicly shared for varying lengths ranging from a few hours to weeks, making them vulnerable to abuse by malicious actors.

To demonstrate how a threat actor could access the data, the researchers created an AWS native technique that uses AWS Lambda Step Function and boto3, the Python software development kit to scan, clone, and extract sensitive information from RDS snapshots on a large scale.

The researchers then observed 2,783 RDS snapshots, of which 810 were exposed publicly. Furthermore, 1,859 of the 2,783 snapshots were exposed for one to two days, giving an attacker enough time to obtain them easily.

However, Mitiga points out that AWS is not to blame because AWS not only makes RDS users aware of publicly exposed snapshots, but also provides tools such as AWS Trusted Advisor, which detects security issues and recommends remediation steps.

The sources for this piece include an article in TheHackerNews.

Featured Tech Jobs


Related articles

Apple reduces forecasts for Vision Pro as demand cools in key US market

In an unexpected shift, Apple has drastically reduced its shipment forecasts for the upcoming Vision Pro, indicating a...

FTC says Microsoft’s layoffs at Activision Blizzard may threaten merger approval

The FTC has expressed dissatisfaction with Microsoft's layoffs at Activision Blizzard, challenging the integrity of the Microsoft-Activision deal....

Delaware court voids Musks $56 billion dollar compensation

Tesla's stock experienced a notable downturn following a Delaware court's decision to void CEO Elon Musk's massive $56...

IT World Canada strikes partnership with Canadian Cybersecurity Network

Goal is to make it easier for infosec pros to access each organization

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways