Millions of records containing the personal details of Time Warner Cable (TWC) customers have been discovered in a publicly accessible storage repository.
Security researchers at Kromtech, which makes the MacKeeper antivirus software, said they discovered the data on 24 August while researching another leak involving World Wrestling Entertainment (WWE).
They discovered two repositories hosted using Amazon’s S3 cloud storage service, neither requiring a password for access.
The repositories were linked to BroadSoft, a US-based company with offices worldwide that provides services to large communications companies including AT&T, Sprint and Vodafone.
TWC, which was acquired by Charter Communications last year and is now called Spectrum, said the data related to users of the MyTWC mobile application used to remotely manage accounts, which was developed by BroadSoft.
The company said the data had been removed and the incident was being investigated.
“We encourage customers who used the MyTWC app to change their user names and passwords,” Charter stated.
The data included usernames, email addresses, MAC addresses, device serial numbers and financial transaction information, although it doesn’t appear that social security numbers or credit card information was involved.
Other databases included billing addresses, phone numbers and other contact information.
One of the databases contained four million records relating to customers, but some were duplicates, meaning less than four million individual users were likely to have been affected.
Kromtech said it would take “weeks” to sort through the files, which amount to more than 600 GB of data.
The repositories also included internal company records, including SQL database dumps, internal emails and code containing the credentials for accessing external systems and access logs.
“These are all things that should not be publicly available online,” Kromtech said in an advisory.
BroadSoft confirmed the leak but said it did not believe sensitive data was involved. The company said it was investigating.
Inadvertent data leaks have become more frequent as it becomes more common for companies to make use of cloud-based service providers, whose data is accessible by anyone unless protections are in place.
The RNC breach, disclosed in June, affected more than 198 million people, or about 61 percent of the US population, and was the country’s largest-ever voter data exposure.
Last month Amazon announced a machine learning-based tool aimed at spotting such security lapses. ‘Macie’, a fully managed service, scans users’ data repositories for sensitive data including personal information or intellectual property and uses machine learning to establish a baseline for how it’s typically accessed. The system then generates alerts when it detects unauthorised access or inadvertent data leaks.
Ironically, Kromtech itself was the subject of a data leak in December 2015, when researcher Chris Vickery discovered the company had left 21 GB of customer data exposed on servers that required no authentication and were open to external connections.
How well do you know the cloud? Try our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…