Disclaimer: the author has contacted the affected companies mentioned in this post, provided instructions on how to remedy the outlined weakness, and deleted all sensitive files from personal devices. None of the companies replied.
In today’s digital age, companies are increasingly relying on technology to store sensitive information such as customer data, financial records, medical records, login credentials, and personal communication. Unfortunately, many businesses are failing to properly secure this information, leaving it vulnerable to cyber-attacks and data breaches.
It is common to store sensitive information such as infrastructure-as-code state or secret variable files using object storage services such as AWS S3, Google Cloud Storage, etc.
However, to secure these files, permissions need to be set up properly (e.g. by restricting access using IAM roles and fine-grained permissions). As it turns out, thousands of companies don’t do this and leave sensitive data publicly accessible.