Serg Nvns - Fotolia
An Amazon Web Services engineer uploaded sensitive data to a public GitHub repository that included customer credentials and private encryption keys.
Cybersecurity vendor UpGuard earlier this month found the exposed GitHub repository within 30 minutes of its creation. UpGuard analysts discovered the AWS leak, which was slightly less than 1 GB and contained log files and resource templates that included hostnames for "likely" AWS customers.
"Of greater concern, however, were the many credentials found in the repository," UpGuard said in its report Thursday. "Several documents contained access keys for various cloud services. There were multiple AWS key pairs, including one named 'rootkey.csv,' suggesting it provided root access to the user's AWS account."
The AWS leak also contained a file for an unnamed insurance company that included keys for email and messaging providers, as well as other files containing authentication tokens and API keys for third-party providers. UpGuard's report did not specify how many AWS customers were affected by the leak.
UpGuard said GitHub's token scanning feature, which is opt-in, could have detected and automatically revoked some of the exposed credentials in the repository, but it's unclear how quickly detection would have occurred. The vendor also said the token scanning tool would not have been able to revoke exposed passwords or private keys.
The documents in the AWS leak also bore the hallmarks of an AWS engineer, and some of the documents included the owner's name. UpGuard said it found a LinkedIn profile for an AWS engineer that matched the owner's exact full name, and the role matched the types of data found in the repository; as a result, the vendor said it was confident the owner was an AWS engineer.
While it's unclear why the engineer uploaded such sensitive material to a public GitHub repository, UpGuard said there was "no evidence that the user acted maliciously or that any personal data for end users was affected, in part because it was detected by UpGuard and remediated by AWS so quickly."
UpGuard said at approximately 11 a.m. on Jan. 13, its data leaks detection engine identified potentially sensitive information had been uploaded to the GitHub repository half an hour earlier. UpGuard analysts reviewed the documents and determined the sensitive nature of the data as well as the identity of the likely owner. An analyst contacted AWS' security team at 1:18 p.m. about the leak, and by 4 p.m. public access to the repository had been removed. SearchSecurity contacted AWS for comment, but at press time the company had not responded.