A misconfigured Google Cloud Storage bucket linked to Alice’s Table, a popular virtual floral arrangement platform, has exposed the personal data of over 83,000 customers.
The breach involved tens of thousands of files containing sensitive information such as names, email addresses, home addresses, and order details of the platform’s users.
In a blog post on the data leak, Cyble researchers reported that such exposures are surprisingly common. Cyble’s Odin vulnerability search tool found more than 500,000 exposed cloud storage buckets between Google Cloud Storage and AWS.
Exposed Cloud Storage Bucket Linked to Alice’s Table
Cybernews researchers first identified the exposed Google Cloud bucket in April during a routine investigation. The bucket contained 37,349 files, including 10,183 XLSX and CSV files with personally identifiable information (PII). While the majority of the exposed email addresses were personal, a significant portion were associated with corporate accounts, including those belonging to major companies like BCG, Pfizer, PwC, Charles Schwab, and government employees, the researchers said.
The leak raises security concerns associated with business email addresses that can be used for phishing attacks, spamming, identity theft, and unauthorized access to confidential information. Additionally, the exposure of home addresses puts victims at risk of physical intrusions.
Founded in 2015 by Boston entrepreneur Alice Lewis, Alice’s Table is a subsidiary of 1-800-Flowers. The company gained widespread attention after securing a $250,000 investment on ABC’s Shark Tank in 2017. In addition to floral arrangements, the platform offers live streaming experiences for culinary and cocktail workshops.
Misconfigured Cloud Storage Buckets: A Common Security Risk
Misconfigured cloud storage buckets are cloud storage containers that have been set up with insufficient security controls, allowing unauthorized access to their contents. This can lead to data breaches, unauthorized data exfiltration, and other serious security consequences.
Common misconfiguration issues include:
- Publicly accessible buckets: These buckets can be accessed by anyone who knows their URL, even without authentication.
- Incorrect permissions: If permissions are set too broadly, unauthorized users may be able to access or modify data.
- Missing encryption: Data stored in unencrypted buckets can be easily intercepted and read if it is transmitted over an insecure network.
- Weak access controls: If access controls are weak, unauthorized users may be able to gain access to the bucket by guessing credentials or exploiting vulnerabilities.
Why are misconfigured cloud storage buckets a security nightmare?
Cloud storage buckets can contain sensitive and personally identifiable information (PII), leading to a number of security risks.
- Wide prevalence: Studies have shown that a significant number of cloud storage buckets are misconfigured. For example, one study found that millions of buckets were publicly accessible, containing more than 10 billion data files that had sensitive data such as financial information, medical records, and intellectual property.
- Data breaches: Misconfigured buckets have been responsible for numerous high-profile data breaches, resulting in the exposure of large amounts of sensitive information.
- Financial losses: Data breaches caused by misconfigured buckets can lead to significant financial losses for organizations, due to fines, legal costs, and damage to reputation.
How to prevent misconfigured cloud storage buckets
The Cyble blog noted specific steps for securing Google Cloud Storage buckets, along with some security tools that can help secure cloud storage buckets. Here are some general controls that cloud customers should be using:
- Implement strong access controls: Use granular access controls to limit access to the bucket to authorized users only.
- Enable encryption: Encrypt data at rest and in transit to protect it from unauthorized access.
- Regularly review and update security settings: Regularly review and update security settings to ensure that they remain appropriate.
- Use cloud security tools: Consider using cloud security tools and AI-driven threat intelligence platforms like Cyble’s CTI and Odin offerings to help identify and address misconfigurations.
By following these best practices, organizations can help reduce the risk of misconfigured cloud storage buckets and protect their sensitive data.
Neither Alice’s Table nor 1-800-Flowers had responded to Cybernews’ request for comment at the time of publication.