Security researcher Jeremiah Fowler, working with the VPNMentor research team, has published findings from a months-long investigation into publicly accessible AWS S3 buckets, identifying misconfigurations across hundreds of organizations that collectively exposed over 2.1 billion records.


Scope of the Findings


The investigation identified 847 misconfigured S3 buckets across companies in 43 countries. The exposed data includes:


  • Customer PII: Names, email addresses, phone numbers, physical addresses, and partial payment card data
  • API keys and secrets: Active AWS API keys, third-party service credentials (Stripe, Twilio, Salesforce), and OAuth tokens
  • Internal source code: Proprietary application code from 67 companies including fintech and healthcare technology firms
  • HR and employee records: Payroll data, performance reviews, and internal HR communications from 112 organizations
  • Infrastructure diagrams: Architecture documentation from 34 companies that would substantially lower the barrier for targeted attacks

    • Responsible Disclosure Process


    Fowler's team notified each affected organization directly before publishing findings. Of 847 organizations contacted, 612 secured their buckets within 72 hours. 178 organizations failed to respond after two weeks, at which point CISA and relevant national CERTs were notified. 57 organizations are still unresponsive.


    Root Causes


    Common failure patterns include:

  • Legacy S3 bucket policies created before AWS disabled public access by default in 2023
  • Infrastructure-as-Code templates with hardcoded public-read ACLs
  • Developer test/staging environments promoted to production without security review
  • Third-party vendor onboarding processes with excessive S3 permissions

    • Technical Recommendations


    AWS customers should enable S3 Block Public Access at the account level, use AWS Config rules to continuously audit bucket policies, enable S3 server access logging and CloudTrail data events, and conduct regular automated scans using tools like Prowler or AWS Security Hub. Rotate all API keys found in exposed buckets immediately.