Cybersecurity firm UpGuard’s Cyber Risk Team said on Thursday that a set of documents were left in an Amazon S3 bucket which was available to the public.
GoDaddy is a domain name registrar and hosting provider which caters for millions of customers worldwide.
The information involved in the security breach appeared to describe GoDaddy’s architecture, as well as “high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios,” according to UpGuard.
Configuration files for hostnames, operating systems, workloads, AWS regions, memory, CPU specifications, and more were included in the exposed cache, which described at least 24,000 systems.
“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields,” the cybersecurity firm said.
The open bucket, called “abbottgodaddy,” also included what the company believes to be business information relating to GoDaddy and Amazon AWS’ relationship, including rate negotiations. This information should have been kept confidential.
The consequences of such a leak could have been disastrous for GoDaddy. If the data dump had ended up in the hands of threat actors willing to sell the data on — or even rival services — this could have had a severely detrimental effect on GoDaddy’s business. After all, without trade secrets and IP, a business has nothing to stand out from the crowd.
The information leak was discovered by UpGuard on June 19. It was over a month before GoDaddy responded to the advisory, eventually sealing off the bucket on July 26.
The security failure appears to have been the work of an AWS salesperson who failed to follow best practices for storing information.
“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an AWS spokesperson told Engadget. “While Amazon S3 is secure by default and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”
AWS says that no GoDaddy information was involved in the breach. GoDaddy says that the exposed documents were speculative models and were not related to current activities between the hosting provider and Amazon.
“Although the potential threats to exploit this kind of data require intentional malicious actors, the exposure of that data through misconfigured storage does not,” UpGuard said. “From operations as large as GoDaddy and Amazon, to small and medium organizations, anyone who uses cloud technology is subject to the risk of unintentional exposure, if the operational awareness and processes aren’t there to catch and fix misconfigurations when they occur.”