back to article Small business loans app blamed as 500,000 financial records leak out of ... you guessed it, an open S3 bucket

A now-defunct mobile app for loaning money to small business owners has been pinned down as the source of an exposed archive containing roughly 500,000 personal and business financial records. The research team at vpnMentor said it traced an exposed database of financial records back to a former Android/iOS app called MCA …

  1. Anonymous Coward
    Anonymous Coward

    Why are these things called buckets?

    1. Dave Pickles
      1. Aristotles slow and dimwitted horse Silver badge

        Dear Coward...

        Dear Coward...

        1. stiine Silver badge
          1. Michael Wojcik Silver badge

            Indeed, evidence suggests S3 buckets are often associated with a-holes.

            (The axe is too dull, and so are many of the developers who use S3...)

    2. Trigonoceps occipitalis

      I REFER YOU TO THE POST I MADE EARLIER

      There's a Hole in My Bucket

      Dear Lisa, Dear Lisa,

      There's a Hole in My Bucket,

      Dear Lisa, a Hole.

      With What Do You Fill It,

      Dear Henry, Dear Henry,

      With What Do You Fill It,

      Dear Henry, With What?

      Why, Data,

      Dear Lisa ...

  2. Pascal Monett Silver badge

    Ok, the lesson to learn here . .

    . . is that it is time to stop trusting small startups with your private data.

    Yeah, I know, that is going to put a crimp on startups that propose money. In the meantime, we need a certification that proves that the startup knows what security is and knows how to manage cloud accounts.

    I know, I'm dreaming. Just don't trust financial startups that don't have a banking charter.

    1. IGotOut

      Re: Ok, the lesson to learn here . .

      Is Equifax a start up?

    2. Down not across Silver badge

      Re: Ok, the lesson to learn here . .

      Just don't trust financial startups that don't have a banking charter.

      Sadly entities with a banking charter are not necessarily any more trustworthy.

    3. HildyJ Silver badge
      Devil

      Re: Ok, the lesson to learn here . .

      Given that Barklay's leaky bucket just hit the news 5 days ago and BT seems to be using a wicker basket instead of a bucket, I think you should say companies, not small financial startups.

    4. Snake Silver badge

      Re: Ok, the lesson to learn here . .

      It's quite sad, really. When I set up (our) S3 bucket, obscure as some of the optional configurations were, I made it a point to go through them, learn what they did, and set accordingly. As a result my bucket was 'Can be public' from Day 1 of the privacy testing tools rollout, a decent setting.

      So some "tech" support, with far more responsibilities and (supposedly) far more training than me, yet far less real-world intelligence, pushes a few buttons and stamps "Done!" to the project. If they are assigning the project to the PFY then they only have themselves to blame for not following up on assurance; if the BOFH is causing these muck-ups then one must, frankly, question their compensation levels.

  3. Androgynous Cow Herd

    At least

    For once no one had to stand up and fib "Your privacy is important to Us"

  4. YetAnotherJoeBlow

    Once again...

    Yet another reason to hold CEOs personally accountable for both civil and criminal matters for preventable information disclosure. (ie a permissions problem.)

  5. Mike Lewis

    Are S3 buckets insecure by default?

    Woudn't it be better to make them secure by default instead?

    1. Anonymous Coward
      Anonymous Coward

      Re: Are S3 buckets insecure by default?

      No, they are incredibly secure by default. You have to physically uncheck 4 checkboxes just to make the bucket and subsequent uploaded files publicly accessible.

      1. Michael Wojcik Silver badge

        Re: Are S3 buckets insecure by default?

        And Amazon provide a bunch of documentation and guides on this subject. There seems to be a considerable amount of willful stupidity among the population of S3 users.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020