Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.
On September 17th, 2017, Chris Vickery, director of Cyber Risk Research at UpGuard discovered a trove of highly sensitive data exposed online without any security or login credentials.
The data belonged to one of the world’s largest corporate consulting and management firms Accenture PLC based in Dublin, Ireland.
The data was left exposed on four Amazon Web Services S3 storage buckets allowing anyone to access and download it by merely entering the buckets’ web addresses on their web browser.
Upon analysis, Vickery found that buckets contained internal Accenture data including APIs, cloud platform credentials, configurations, certificates, authentication credentials, decryption keys, customer information and other sensitive data that would be helpful enough to attack and damage Accenture and its customers.
One of the servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture’s access to Google’s Cloud Platform and Microsoft’s Azure, which could give an attacker further access to the company’s cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture’s internal corporate network.
Furthermore, the exposed buckets (labeled: “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl) also contained details regarding Accenture Cloud Platform and how clients can use it.
The “acp-deployment” bucket contained internal access keys and credentials for use by the Identity API, and most importantly it contained “a plaintext document containing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service, exposing an unknown number of credentials to malicious use.”
The “client.jks” bucket contained clear-text password necessary to decrypt the file while the bucket “acpcollector” contained “VPN keys used in production for Accenture’s private network, potentially exposing a master view of Accenture’s cloud ecosystem.”
The third bucket “acp-software,” however contained 137 GB data including database dumps, 40,000 plaintext passwords and access keys for cloud infrastructure management platform Enstratus, etc.
The fourth bucket “acp-ssl,” contained access key to another folder providing further access to more sensitive data.
If accessed, the data could have let attackers harm the firm and its clients without needing to explore security flaws to get into Accenture’s cyberinfrastructure.
Keeping in mind the recent Equifax breach in which personal details of 143 million Americans; a breach including Accenture would stop clients from trusting the corporate firms.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information.
UpGuard’s Dan O’Sullivan, who blogged about the data discovery, said hackers could have done an “untold amount of financial damage” to Accenture and any of its cloud-using customers.
We asked if anyone else had accessed the servers, the spokesperson said its logs showed access “by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago,”
The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients,” concluded UpGuard.
At the time of publishing this article, the exposed data was secured due to UpGuard’s alert to Accenture.