Android recreation dev’s Google Drive misconfig highlights cloud safety dangers

Data leak

Japanese recreation developer Ateam has confirmed {that a} easy Google Drive configuration mistake may end up in the potential however unlikely publicity of delicate data for practically a million folks over a interval of six years and eight months.

The Japanese agency is a cellular video games and content material creator, encompassing Ateam Leisure, which has a number of video games on Google Play like Warfare of LegionsDarkish SummonerHatsune Miku – Faucet Surprise, and instruments like Reminiscence Clear | Sport Increase Grasp, and Good Evening’s Sleep Alarm.

Earlier this month, Ateam knowledgeable customers of its apps and providers, workers, and enterprise companions that on November 21, 2023, it found that it had incorrectly set a Google Drive cloud storage occasion to “Anybody on the web with the hyperlink can view” since March 2017.

The insecurely configured Google Drive occasion contained 1,369 information with private data on Ateam prospects, Ateam enterprise companions, former and present workers, and even interns and individuals who utilized for a place on the firm.

Ateam has confirmed that 935,779 people had their information uncovered, with 98.9% being prospects. For Ateam Leisure particularly, 735,710 folks have been uncovered.

Analysis of exposed individuals
Evaluation of uncovered people (Ateam)

The information uncovered by this misconfiguration varies relying on the kind of relationship every particular person had with the corporate and should embrace the next:

  • Full names
  • E mail addresses
  • Cellphone numbers
  • Buyer administration numbers
  • Terminal (machine) identification numbers

The corporate says it has seen no concrete proof of risk actors having stolen the uncovered data however urges folks to stay vigilant for unsolicited and suspicious communications.

Safe your cloud providers

Setting Google Drive to “Anybody with the hyperlink can view” makes it viewable solely to these with the precise URL, sometimes reserved for collaboration between folks working with non-sensitive information.

If an worker, or another person with the hyperlink, mistakenly uncovered it publicly, it may get listed by search engines like google and grow to be broadly accessible.

Whereas it is unlikely that anybody discovered an uncovered Google Drive URL on their very own, this notification demonstrates a necessity for firms to correctly safe their cloud providers to stop information from being mistakenly uncovered.

It is extremely frequent for risk actors and researchers to seek out uncovered cloud providers, similar to databases and storage buckets, and obtain the information contained in them.

Whereas researchers normally responsibly disclose the uncovered information, if risk actors discover it, it could possibly result in greater issues as they use it to extort firms or promote it to different hackers to make use of in their very own assaults.

In 2017, safety researcher Chris Vickery discovered misconfigured Amazon S3 buckets exposing databases containing 1.8 billion social and discussion board posts made by customers worldwide.

Ten days later, the identical researcher found one other misconfigured S3 bucket that uncovered what gave the impression to be categorised data from INSCOM.

Whereas these breaches had been responsibly disclosed, different cloud service misconfigurations have led to the information being leaked or bought on hacker boards.

Misconfigured Amazon S3 buckets have grow to be a large enough downside that researchers have launched instruments that scan for uncovered buckets.

The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally launched steerage for firms on easy methods to correctly safe cloud providers.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles