More and more of data! Yet another giant organization has now confirmed exposing sensitive data to the public. Accenture, a technology and cloud giant, has said that it inadvertently left a massive trove of private data across four cloud servers, potentially exposing sensitive passwords and private decryption keys. The servers were hosted on Amazon’s S3 storage when a security researcher discovered four AWS S3 storage buckets configured for public access, leaking internal emails, passwords, client data, and sensitive documents.

Accenture is a global management consulting company that claims to provide “strategy, consulting, digital, technology and operations services” to a majority of the Forture 100, which means this data that was in hundreds of gigabytes could put those large corporations at risk too. The exposed servers were not only accessible but didn’t require a password while containing sensitive data, including plaintext login details.
Chris Vickery, director of cyber risk research at UpGuard, first discovered this data and privately informed Accenture of the exposure last month. The four exposed servers were secured the next day. Vickery has called the exposed data “keys to the kingdom,” carrying potentially sensitive data of some of the world’s biggest companies.

“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”

Accenture cloud data leak was in hundreds of gigabytes; company is at the “downplaying stage” and hasn’t alerted any of its clients

Upguard researchers say that the data potentially puts anyone using Accenture’s Cloud Platform at risk. Among other data, researchers also found Accenture’s master keys for its AWS Key Management System (KMS), which could give attackers full control over encrypted data stored on Amazon’s servers by the company and should be considered compromised.
The largest of these servers contained over 137 gigabytes of data, including databases of login credentials of not only internal accounts but Accenture customers’ as well. In one database, Vickery also discovered 40,000 passwords, most of them plaintext.
As has become customary, Accenture is trying to downplay the severity of this data exposure claiming that no customer data was affected. However, researchers who first saw this exposed data don’t agree with the company’s narrative.

“Taken together, the significance of these exposed buckets is hard to overstate,” Upguard said in an advisory published today. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”