Exposed S3 bucket compromises 120 million Brazilian citizens

News by Doug Olenick

More than 120 million unique identification numbers issued by the Brazilian Federal Reserve to Brazilian citizens and tied to tax-paying resident aliens, spent months earlier this year publicly exposed on the internet.

More than 120 million unique identification numbers issued by the Brazilian Federal Reserve to Brazilian citizens and tied to tax-paying resident aliens, spent months earlier this year publicly exposed on the internet.

The data breach was noticed in March by the InfoArmor Advanced Threat Intelligence team when it found what is called Cadastro de Pessoas Físicas (CPFs). This number is the primary link to a treasure trove of Brazilian citizens information including banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts.

The CFP was discovered during a sweep conducted by InfoArmor searching for unsecured S3 buckets. Making the situation worse is the data was made public due to a few very basic errors.

First, someone had renamed the index.html" to "index.html_bkp," revealing the directory’s content next and then did not prohibit access through .htaccess configuration.

InfoArmor attempted to contact and warn the owners, an act that took several weeks to accomplish as the initial emails contacted were kicked back as invalid.

After more attempts were made using different email addresses, InfoArmor received a reply in April saying the server owner had notified its customer of the issue, but the information remained exposed for several additional weeks before being locked down.

"What was originally misconfigured to be accessible by IP address was reconfigured as a functional website with an authenticated alibabaconsultas.com domain that redirected to
its login panel. Although InfoArmor cannot be sure that alibabaconsultas.com was responsible for the leak, it appears they were somehow involved, likely in a hosting-as-a-service function," InforArmor said.

While the server remained open, InfoArmor researchers were able to watch files being manipulated. However, they had no idea by whom they were being accessed.

"I would, however, not be so certain that cyber-criminals managed to get the data from the exposed server. I’d rather presuppose that cyber-criminals have had this (and probably many other governmental data from Brazil) for years if such an overt leakage happened in such scandalous circumstances," Ilia Kolochenko, CEO and founder of High-Tech Bridge, told SC Media.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews