Re: many companies still leave their S3 buckets unsecured
Possibly the bucket was set up so long ago that it didn't have any security as default.
They'd still have been getting emails from AWS for the last few years telling them it was unsecured though.