bucketchallenge

@bucketchallenge@infosec.exchange
714 Followers
114 Following
157 Posts
s3 Buckets are my hobby. Icecold nightmares about the insecurity of the cloud.
I will not link the bucket while still open here on Mastodon as the data in those would cause hurt to innocent people.
bucketchallengeJul 1
Dissent Doe  Jun 30

With great thanks to @masek and @JayeLTee and others who assisted or tried to, including Rogers ISP and law enforcement in Canada, we can finally say:

Bolton Walk-In Clinic patient data leak locked down!

Read about this very frustrating effort to get exposed patient data locked down:

https://databreaches.net/2025/06/30/bolton-walk-in-clinic-patient-data-leak-locked-down-finally/

#healthsec #PHIPA #HIPA #cybersecurity #infosec #incidentresponse #dataleak

bucketchallengeJun 21
Martin SeegerJun 21

PostMortem: Assumed DOJ Montana Leak of Phone Dumps

Type of leak

Highly confidential information on a public SMB share without authentication

Threats from the leak

I see the following threats:

  • Integrity and Confidentiality of investigations into serious crimes compromised
  • Privacy of U.S. citizens compromised (very likely to contain most intimate data)
  • Providing 3rd parties hostile to the U.S. with blackmail material

1/4

bucketchallengeJun 13
JayeLTeeJun 11

Some wild things I found exposed recently that I am actively trying to close down:

1) 🇺🇸 Criminal Defense firm with archived case files exposed (evidence, discovery, court docs, etc) includes crash reports with dead people - Contacted the Law firm last week and nothing done.

2) 🇺🇸 Phone extracts for multiple cases that have been on the news, including a case of a cop suicide, sexual abuse cases - Looking at who to notify about this one, being extra careful as the file listing suggests illegal stuff gathered as evidence might be exposed on it.

3) 🇳🇿 A database backup with a table that includes someone's diary, with a lot of entries about their sexual life.
This backup also includes ~1,500 logins for a police association on other tables and credentials to multiple companies & websites - Contacted higher-ups in the police association for help identifying who is responsible, but so far, no reply.

Just a few more servers to add to the list of dozens of pending cases. Will start escalating contacts until stuff gets fixed.

#cybersecurity #infosec #responsibledisclosure #threatintel #readyouremail

Show threadbucketchallengeJun 12
Good news today: The #s3 #bucket was closed. The bucket was XXX, so I assume YYY to be responsible for leaking 22,4mio pictures of Japanese babies. As there where only pictures in the bucket I only can guess by the name and the content which matches.
EDIT: The bucket is open again. WTF. 😩
Show threadbucketchallengeJun 8
And tonight I escalated the #s3 #bucket to #AWS. I explicit asked them to contact their customer. I am sure I will be told to memorize their "shared responsibility", and that no responsibility is with them.
Show threadbucketchallengeJun 2
And I escalated this bucket to the #Japanese #CERT. So far the #s3 #bucket is still open.
bucketchallengeJun 1
Tonight I sent a email to a service from Japan. 8TB or 22mio pics of #babies all in a #s3 #bucket at #AWS. Cute, but should not be online in this form.
bucketchallengeMay 26
Martin SeegerMay 26

If you ask: Where do cyber criminals get all their information?

I can answer you that...

For a cyber criminal it is important to know, how much money (at least the order of magnitude) a potential victim has.

It would look bad if they try to cheat a poor bloke for some millions.

For that reason it is extremely nice (sarcasm) that a Colombian bank puts millions of documents about their customers (credit authorizations, creditworthiness reports, etc.) online WITHOUT any authentication or authorization required.

In order to fulfill their duty to the criminals of the world, they also put scans of the officials ID cards of those citizens online too (of course both sides).

On some days I cannot eat as much as I want to throw up.

Such is life in #infosec

Currently I am busy with my contacts in Colombia to find someone to take care of that. It would be much easier if said bank would follow RFC 9116. But alas, no such luck.

I will name the bank once the leak is closed.

bucketchallengeMay 2

After I reported an open #s3 #bucket to the Duebi Group from Italy (https://www.duebigroup.com/) last November, the bucket was deleted yesterday. The bucket contained customer data as telefonnumbers, e-mail IDs and bank account numbers (IBAN) as well as names and clear text passwords.

I guess the Italian data protection authority did take care of them.

Why on earth people still to save clear text passwords?

Impianti elettrici industriali a Milano, Varese, Como- Duebi Impianti Srl

Progettiamo e installiamo impianti elettrici industriali e di automazione industriale altamente tecnologici e di ottima qualità.

Duebi Impianti Srl
bucketchallengeApr 30
Aus dem Chat mit einer Support-AI:
"Danke! Ich habe die Informationen weitergegeben. Ein Mitglied unseres Teams wird sich bald per E-Mail melden.
Habe noch einen schönen Tag.
Vielen Dank. Wir haben die Informationen weitergegeben. Ein Mitglied unseres Teams wird sich bald melden."
Ich habe mal wieder Gesprächsbedarf wegen eines #Buckets