Japanese recreation developer Ateam has confirmed {that a} easy Google Drive configuration mistake can lead to the potential however unlikely publicity of delicate info for practically a million individuals over a interval of six years and eight months.
The Japanese agency is a cellular video games and content material creator, encompassing Ateam Leisure, which has a number of video games on Google Play like Struggle of Legions, Darkish Summoner, Hatsune Miku – Faucet Surprise, and instruments like Reminiscence Clear | Recreation Increase Grasp, and Good Night time’s Sleep Alarm.
Earlier this month, Ateam knowledgeable customers of its apps and providers, staff, and enterprise companions that on November 21, 2023, it found that it had incorrectly set a Google Drive cloud storage occasion to “Anybody on the web with the hyperlink can view” since March 2017.
The insecurely configured Google Drive occasion contained 1,369 recordsdata with private info on Ateam prospects, Ateam enterprise companions, former and present staff, and even interns and individuals who utilized for a place on the firm.
Ateam has confirmed that 935,779 people had their knowledge uncovered, with 98.9% being prospects. For Ateam Leisure particularly, 735,710 individuals have been uncovered.
The information uncovered by this misconfiguration varies relying on the kind of relationship every particular person had with the corporate and should embrace the next:
- Full names
- Electronic mail addresses
- Telephone numbers
- Buyer administration numbers
- Terminal (system) identification numbers
The corporate says it has seen no concrete proof of menace actors having stolen the uncovered info however urges individuals to stay vigilant for unsolicited and suspicious communications.
Safe your cloud providers
Setting Google Drive to “Anybody with the hyperlink can view” makes it viewable solely to these with the precise URL, sometimes reserved for collaboration between individuals working with non-sensitive knowledge.
If an worker, or another person with the hyperlink, mistakenly uncovered it publicly, it may get listed by search engines like google and change into broadly accessible.
Whereas it is unlikely that anybody discovered an uncovered Google Drive URL on their very own, this notification demonstrates a necessity for corporations to correctly safe their cloud providers to stop knowledge from being mistakenly uncovered.
It is vitally frequent for menace actors and researchers to seek out uncovered cloud providers, akin to databases and storage buckets, and obtain the information contained in them.
Whereas researchers often responsibly disclose the uncovered knowledge, if menace actors discover it, it might probably result in greater issues as they use it to extort corporations or promote it to different hackers to make use of in their very own assaults.
In 2017, security researcher Chris Vickery discovered misconfigured Amazon S3 buckets exposing databases containing 1.8 billion social and discussion board posts made by customers worldwide.
Ten days later, the identical researcher found one other misconfigured S3 bucket that uncovered what seemed to be categorised info from INSCOM.
Whereas these breaches have been responsibly disclosed, different cloud service misconfigurations have led to the information being leaked or offered on hacker boards.
Misconfigured Amazon S3 buckets have change into a sufficiently big downside that researchers have launched instruments that scan for uncovered buckets.
The US Cybersecurity and Infrastructure Safety Company (CISA) has additionally launched steering for corporations on tips on how to correctly safe cloud providers.
