How a Single Misconfigured S3 Bucket Exposed 70,000+ Sensitive Customer Records

Public S3 Bucket Leading to Mass Data Exposure

Recently, we conducted a penetration test for a company operating in the luxury vehicle sales and rental industry, including service centers and maintenance facilities.

As with every engagement, we started by defining the assessment scope and mapping the attack surface. The initial phase focused on reconnaissance: enumerating subdomains, identifying exposed services, analyzing technologies in use, and understanding the overall infrastructure.

From there, we moved methodically through the environment, reviewing servers, applications, configurations, and potential attack paths. As expected, several web application vulnerabilities were identified during the assessment.

Among the discovered assets was a subdomain that appeared unusual. Further investigation revealed that it was connected to an Amazon S3 bucket with misconfigured permissions.

uploads.redacted.co.il

The Discovery Process

The discovery began during the attack surface enumeration phase. Using a combination of passive and active reconnaissance techniques, we identified multiple internet-facing assets associated with the target organization.

subfinder -d redacted.co.il -silent
amass enum -passive -d redacted.co.il
httpx -silent -status-code -title

During the review of discovered assets, one particular subdomain immediately stood out:

uploads.redacted.co.il

Initial DNS analysis suggested that the host was backed by AWS infrastructure.

dig uploads.redacted.co.il
nslookup uploads.redacted.co.il

Further inspection revealed references to an Amazon S3 bucket. To validate the exposure, we performed non-intrusive checks against the bucket.

aws s3 ls s3://redacted-bucket

The bucket responded without authentication, confirming public access. We then enumerated the object structure and reviewed the metadata exposed by the storage service.

aws s3api list-objects-v2 --bucket redacted-bucket --no-sign-request

At this point, it became clear that the bucket was being actively used by production systems.

Understanding the S3 Exposure

Amazon S3 (Simple Storage Service) is one of the most widely used cloud storage platforms in the world. Organizations use S3 buckets to store application data, customer documents, backups, images, logs, and business-critical assets.

Security in S3 relies heavily on the proper configuration of:

• Bucket Policies
• Access Control Lists (ACLs)
• IAM Roles
• Public Access Block settings
• Object-level permissions

The S3 Misconfiguration

Cloud storage exposures remain among the most frequently identified findings during security assessments.

Here are some common techniques and attack vectors.

Public Read Access

Many organizations accidentally expose buckets through overly permissive ACLs or Bucket Policies that grant access to:

• AllUsers
• AuthenticatedUsers

This allows anyone on the internet to enumerate and retrieve sensitive files without authentication.

Public Write Access

An even more dangerous scenario occurs when attackers are granted permissions such as:

• s3:PutObject
• s3:DeleteObject
• s3:PutObjectAcl

through bucket policies assigned to anonymous users.

Security researchers often validate this by attempting to upload harmless test files.

If successful, an attacker may be able to:

• Upload arbitrary files
• Replace legitimate content
• Deface websites
• Poison application assets
• Manipulate software distribution mechanisms
• Abuse backend serverless workflows

In cloud-native environments that utilize Lambda functions, event triggers, CI/CD pipelines, or automated processing jobs, write access can become a stepping stone to deeper compromise.

Data Mining and Intelligence Gathering

Attackers routinely crawl exposed buckets searching for:

• API keys
• Internal documentation
• Credentials
• Backup archives
• Customer databases
• Source code
• Configuration files

Even seemingly harmless files can provide valuable intelligence for lateral movement and future attacks.

Analysis of the Exposed Data

In this case, the bucket permissions allowed public access to stored objects.

For those less familiar with cloud security, Amazon S3 buckets are commonly used to store files, documents, backups, images, and application-generated content. When access policies are misconfigured, these buckets can become publicly accessible from the internet without authentication.

After analyzing the bucket structure and its associated workflows, we discovered an automated process that uploaded customer documentation directly into the exposed storage location.

Whenever a customer purchased or rented a vehicle, the platform automatically uploaded documentation into the exposed bucket.

The data included:

• Full customer identification documents
• Payment information, including credit card data stored in clear text
• Personal photographs
• Customer signatures
• Signed agreements and contracts
• Vehicle purchase agreements

Scale of the Exposure

Our investigation revealed more than 70,000 documents containing highly sensitive personal and financial information.

A malicious actor discovering this exposure could have leveraged the data for:

• Identity theft
• Financial fraud
• Social engineering attacks
• Account takeover attempts
• Document forgery
• Large-scale privacy violations

Even more concerning is the question every security professional asks after discovering an issue like this:

How long has it been exposed?

In many cases, publicly accessible cloud storage remains unnoticed for months, or even years before someone identifies it.

Responsible Disclosure

When our team identifies a critical exposure, the priority is always the same:

1. Immediately notify the client.
2. Validate the impact.
3. Assist with remediation.
4. Verify that the exposure has been properly closed.
5. Help prevent similar issues from recurring.

Security assessments are not about finding vulnerabilities for the sake of reporting them.

They are about reducing risk before someone with malicious intent discovers the same weakness.

Final Thoughts

Security is not about hoping attackers won’t find your weaknesses, it’s about finding and fixing them before they do.

Cloud services, automation workflows, third-party integrations, and rapid business growth often create blind spots that remain invisible until they are actively tested.

A single misconfigured permission can expose tens of thousands of records and create significant legal, financial, and reputational consequences.

Regular penetration testing, security assessments, and cloud configuration reviews are no longer optional. They are essential components of modern cybersecurity.

The question is not whether attackers are looking. It’s whether you’ll find the exposure before they do.