Japanese sport developer Ateam has confirmed {that a} easy Google Drive configuration mistake may end up in the potential however unlikely publicity of delicate info for almost a million folks over a interval of six years and eight months.
The Japanese agency is a cell video games and content material creator, encompassing Ateam Leisure, which has a number of video games on Google Play like Conflict of Legions, Darkish Summoner, Hatsune Miku – Faucet Surprise, and instruments like Reminiscence Clear | Recreation Enhance Grasp, and Good Evening’s Sleep Alarm.
Earlier this month, Ateam knowledgeable customers of its apps and companies, workers, and enterprise companions that on November 21, 2023, it found that it had incorrectly set a Google Drive cloud storage occasion to “Anybody on the web with the hyperlink can view” since March 2017.
The insecurely configured Google Drive occasion contained 1,369 recordsdata with private info on Ateam prospects, Ateam enterprise companions, former and present workers, and even interns and individuals who utilized for a place on the firm.
Ateam has confirmed that 935,779 people had their information uncovered, with 98.9% being prospects. For Ateam Leisure particularly, 735,710 folks have been uncovered.
The info uncovered by this misconfiguration varies relying on the kind of relationship every particular person had with the corporate and should embody the next:
- Full names
- E mail addresses
- Telephone numbers
- Buyer administration numbers
- Terminal (machine) identification numbers
The corporate says it has seen no concrete proof of risk actors having stolen the uncovered info however urges folks to stay vigilant for unsolicited and suspicious communications.
Safe your cloud companies
Setting Google Drive to “Anybody with the hyperlink can view” makes it viewable solely to these with the precise URL, usually reserved for collaboration between folks working with non-sensitive information.
If an worker, or another person with the hyperlink, mistakenly uncovered it publicly, it might get listed by engines like google and turn out to be broadly accessible.
Whereas it is unlikely that anybody discovered an uncovered Google Drive URL on their very own, this notification demonstrates a necessity for corporations to correctly safe their cloud companies to stop information from being mistakenly uncovered.
It is rather widespread for risk actors and researchers to seek out uncovered cloud companies, comparable to databases and storage buckets, and obtain the information contained in them.
Whereas researchers normally responsibly disclose the uncovered information, if risk actors discover it, it might probably result in larger issues as they use it to extort corporations or promote it to different hackers to make use of in their very own assaults.
In 2017, safety researcher Chris Vickery discovered misconfigured Amazon S3 buckets exposing databases containing 1.8 billion social and discussion board posts made by customers worldwide.
Ten days later, the identical researcher found one other misconfigured S3 bucket that uncovered what gave the impression to be labeled info from INSCOM.
Whereas these breaches have been responsibly disclosed, different cloud service misconfigurations have led to the information being leaked or offered on hacker boards.
Misconfigured Amazon S3 buckets have turn out to be a large enough drawback that researchers have launched instruments that scan for uncovered buckets.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally launched steerage for corporations on easy methods to correctly safe cloud companies.
