Hundreds of Amazon RDS instances expose users' personal information

há 4 meses · 0 comments

A leak of personal information from hundreds of databases on the Amazon Relational Database Service (Amazon RDS) was reported by researchers from Mitiga. According to them, such a leak is a real gift for attackers - it contains names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company credentials.

Amazon Relational Database Service (Amazon RDS) is a set of managed services that makes it easy to set up, run, and scale your database in the cloud. It supports various database systems such as MariaDB, MySQL, Oracle, PostgreSQL and SQL Server.

As the experts figured out, the root cause of the data leaks was a feature that allows you to create a publicly available snapshot of the entire database environment running in the cloud. During the study, which was conducted from September 21, 2022 to October 20, 2022, experts found 810 images that were in the public domain from several hours to several weeks, which means only one thing - they could be used by attackers.

It's worth noting that Amazon's documentation recommends not including any sensitive information in a publicly available snapshot, as all other AWS users will be able to copy it.

Based on the nature of the information leaked to the network, experts believe that hackers will use it for financial gain or to better understand the IT environment of a company that may become their potential victim.